Is It Time to Go on a Firewall Shopping Spree?

By martinbrown2k-Ambassador posted 01-09-2014 02:45


This is a guest blog post. Views expressed in this post are original thoughts posted by Martin Brown, Network Engineer from Morrisons PLC. These views are his own and in no way do they represent the views of the company he works for. 


Protecting yourself and your organisation from big old scary monsters has become even more of a priority in recent years.  Now, I’m not talking about those monsters that hide in bedroom closets (which do exist by the way, children), I’m referring to the monsters out there on the Internet who want to hurt you and your organisation financially and cause untold damage to your reputation.


The Internet Edge


To protect yourself and your employer, the first step is to place a firewall on your Internet edge.  Sounds easy right?  Well, this is where it gets tricky.  The Internet connection in most organisations has become business critical.  Businesses need to receive external e-mail and perform e-commerce and so on.  What you need is some form of resiliency; therefore, you need not only one firewall, but, in reality, a redundant pair.


Let’s say that we have decided to purchase two brand new “ACME FW1” firewalls, and connect them inline between the Internet and corporate LAN.  A week later, ACME announces that there is a caveat in the firewall software and if someone sends a malformed packet to your firewall, they can gain access to your LAN.  Unfortunately, at the time, you were busy with a data centre implementation plus you thought it was SPAM. 


Your organisation is now at risk.


Dual Skinning


To counter instances of the above, many organisations choose to install another firewall from a totally different manufacturerRetail Therapy.jpg
and place this between the Internet-facing firewall and the corporate LAN.  This is what is known as “dual skinning.” 


In this diagram, we can see an example of this. The ACME FW1s are placed facing the Internet edge and a pair of Juniper SRX 550s are placed in between the LAN and ACME firewalls.  This also gives us an opportunity to use the LAN between the firewalls as a DMZ, in which we can place Web servers or even a VPN appliance if we so wished.


After a very quick count, we can see we now have four firewalls protecting our organisation.  Does this now mean that our corporate network infrastructure is safe and that our shopping is done?  Probably not. 


The High-end Data Centre


If you recall from a few paragraphs ago, you missed an e-mail from ACME because you were busy implementing a new data centre.  The data centre will contain sensitive information about your organisation and there is nothing to say that a disgruntled employee won’t try to access this information and sell it to a competitor. Therefore, we need to place some high-end data centre firewalls, such as the SRX 3600, between the data centre and LAN.  These firewalls
lbox-srx3600-right.jpgdiffer somewhat from the Internet-edge firewalls as their throughput would be measured in 10s of Gb/s as opposed to a few Gb/s for the Internet connection.


Our total firewall count is now to six—but we’re still not there yet. 


Can’t Forget the Branch Offices


Many organisations have branches located in key cities around the world and ours is no exception.  For the sake of argument, let’s say we have an HQ in London with a branch in New York and another in Paris.  The sites are connected via an MPLS VPN, which is managed by a service provider. 


In theory, there should be no chance of intrusion coming in from the MPLS VPN.  In practise, however, where there is a human element, mistakes can be made and an error in configuration can put your organisation at risk. Therefore, we need a pair of firewalls at each MPLS VPN ingress router.  Our total is now 12.


Right about now, the sales manager from your reseller will be rubbing his hands with glee at the prospect of you purchasing new (and in the case of the SRX3600, not inexpensive) devices from them.  Don’t raise the CAPEX just yet, however, as we’ve still not quite finished writing our shopping list.


Bridging Networks via the Cloud


At some point, as your business grows, your company may consider the possibility of working more closely with certain key third-party suppliers.  In some cases, this may simply be allowing partners to connect via VPN into your site, which means they can use the VPN appliance in the DMZ.  There is, however, a possibility that for some suppliers a VPN connection may not be enough and, as such, someone takes the decision to bridge the two networks via a service provider MPLS cloud. 


Obviously, it’s great having greater collaboration, but how good is your supplier’s security?  Maybe they’ve not read this blog.  In this case, it’s probably a good idea to add two additional firewall clusters between the MPLS circuit and your LAN giving us an additional four.


More Traffic


Now, let us imagine a scenario where the company is doing very well and your website is being visited by lots of potential customers.  Obviously, it’s great for business, but the Internet edge may become congested and you may have delays in sending e-mails or, worse, your colleagues won’t be able to view cute videos of cats. 


Thankfully, a member of the management team has already considered this possibility and proposed a solution whereby the Internet edge is separated into two circuits: one for e-commerce and the second for e-mail and Web browsing. 


What this means to us is we now have an additional Internet connection that needs securing.  As with the first connection, we need two Internet-facing firewalls in a cluster and another two internal firewalls giving us a subtotal of 20.


Are We There Yet?


Finally, as we are all aware, it’s a great idea to use personal firewalls on all workstations and you could even upgrade these to host-based IPS if you so wished, thus protecting the workstations themselves. 


What about the access layer you connect these workstations to?  You could use dot1x to prevent unauthorised access. However, that aforementioned disgruntled employee may still be lurking somewhere, and seeing as our shopping list is already quite long, adding another two SRX3600s and placing these between the aggregation layer and the core won’t really add much to the overall cost.  This gives us a grand total of 22 firewalls.


By now you should be ready to start raising purchase orders for some shiny new security devices and, in the process, making a sales manager somewhere very happy.


And still, I think we should pause for a moment to consider the following: What if a virus or Trojan does somehow manage to breach your network perimeter or a machine becomes part of a botnet?  Many companies decide to purchase Intrusion Detection Prevention devices, or IDPs, to supplement the protection firewalls provide and negate the threat posed by virus and malware.  Where should these devices be placed and how many should you order?  If you’re interested in probing further, please stay tuned, as I’ll be discussing this in my next blog.