How many firewalls are enough?

We recently had a situation in which one of our servers was accessed by someone from another building/floor who had no need to get into the system. Part of the problem was that someone left their username/password out in plain sight; that problem has been fixed. Management is concerned that our more sensitive servers may not be as protected as they should be. We already have one firewall protecting our Internet connection. Should we look at an additional firewall to protect the servers that management is concerned about?

– Via the Internet

A little more protection is always a good thing. There are two ways you can approach this. Depending on what type of a core switch/router you are using, you can restrict access to certain systems by using Access Control Lists (ACL) in the switch/router. While this is doable, you also should think about limiting the port numbers that the designated systems can be reached with. This, too, can be done with ACLs. Something to think about is keeping this information backed up in a safe place, as if you have to replace the system, you’ll need to replace that information to keep the same level of protection.

Another option is an interior firewall. Using more than one firewall is becoming commonplace on networks today as controlling access to designated systems is becoming more important. While Linux-/Unix-based systems come equipped with their own firewall functionality built in, why maintain a firewall setup on each system when you can centralize the management? One argument I frequently hear is whether to use the same brand of firewall for your second interior router or a different brand. There is some validity to this question. Look at it from this perspective: Would you rather have to learn two different interfaces to manage two firewalls or use just interface to manage two firewalls? One reason for using different brands of firewalls is that if one gets compromised, the hacker/intruder has to pretty much start all over again to try and get past the second. Look at the vulnerabilities reported by the vendor and the security community on the firewall you’re currently using. Compare this against the other firewalls you consider. See which has had the most problems and how quickly they were resolved.

One way to see what it is like to manage a dual-firewall situation is ask your current vendor to loan you one to test this configuration. Most should, it’s a reasonable request. Another option is to look at one of the bootable Linux firewall distributions that run from CD and use a floppy to store the configuration. You should be able to put something like this together with hardware you already have on hand. One thing to think about: When you move the IP address from the server to where the firewall is (answering for that IP address and forwarding the traffic behind the firewall), remember to clear the arp cache on your core router/switch at a minimum. This will help make the moving go faster and lessen the time that users can’t access them once they have been moved.