[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls

Gert Doering gert at greenie.muc.de
Tue Aug 11 03:17:34 EDT 2020


On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote:
> Thanks for your comments. I kinda agree with you on avoid using transparent
> mode however not clear why you wouldn't want your north-south traffic pass
> through perimeter security devices (FWs). how would you protect your
> network from outside if you don't have firewalls in the traffic path? I
> have seen some enterprises use by-pass switches to go around the firewalls
> in case of an unexpected failure from where firewalls can't recover.

What is the point of a firewall in front of a web server?

The web server should not have any services running besides "web", and
these have to be available from the outside.

Adding a firewall means "you put a device in front of it that can handle
less load and costs more" - but where's the security gain?


"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200811/ec5b74de/attachment.sig>

More information about the cisco-nsp mailing list