LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Three firewalls

Three firewalls

Posted Oct 27, 2011 10:21 UTC (Thu) by man_ls (subscriber, #15091)
Parent article: LCE2011: Kernel developer panel

So, Linus is not even behind seven proxies? What poor security!

Memes aside, I have to ask professionally: why is three firewalls better than one? Or, should I worry that I only have one firewall?

(Log in to post comments)

Three firewalls

Posted Oct 27, 2011 12:23 UTC (Thu) by erwbgy (subscriber, #4104) [Link]

Where I work there is a policy that the external Internet-facing firewalls be from a different vendor than the internal firewalls. That way if an exploit is found in the external firewall then hopefully the same exploit can't be used on the internal ones.

It is hard to tell whether this is actually worthwhile or an unnecessary expense.

Three firewalls

Posted Oct 27, 2011 12:59 UTC (Thu) by Stephen_Beynon (✭ supporter ✭, #4090) [Link]

I don't know about the setup Linus uses, but I have multiple firewalls protecting different classes of device.

I have a firewall in my adsl gateway protecting my "insecure" network. The insecure network has wifi/games consoles/set top box network/guest access.

I have a firewall between this insecure network and a wired only network with the machines I care about.

Most of my machines have a software firewall as standard making for a third level of firewall.

Three firewalls

Posted Oct 28, 2011 10:50 UTC (Fri) by josh (subscriber, #17465) [Link]

"wired only network with the machines I care about" doesn't work so well when laptops constitute more than half the machines you care about. :)

Three firewalls

Posted Oct 28, 2011 16:04 UTC (Fri) by jmalcolm (guest, #8876) [Link]

Well, he did say that the WIFI stuff was all on the outer network. "Wired" machines can be reached without trouble once you have breached the network as normal networking is not encrypted or secured. So, you need to protect the network (and the hosts) with things like firewalls.

You cannot put a firewall around wireless which is why wireless networking requires encryption and authentication. It is also why you do not let your wireless network inside the firewall of wired machines "you care about".

Three firewalls

Posted Oct 31, 2011 7:48 UTC (Mon) by ekj (guest, #1524) [Link]

You can have a encrypted, wireless network, and tunnel all your traffic to/from laptops you care about trough a VPN to the more secure cabled internal network.

Yeah, it gets complicated.

Three firewalls

Posted Oct 28, 2011 15:53 UTC (Fri) by jmalcolm (guest, #8876) [Link]

Three firewalls is a pretty common configuration really.

You use two firewalls to create a DMZ which is of course a pretty typical setup.

http://en.wikipedia.org/wiki/DMZ_%28computing%29

Add a personal firewall on your own machine (again, a standard security recommendation) and presto--you have three firewalls.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds