Eicon Networks S92 Uživatelský manuál stáhnout pdf (Strana 14)

YuChakTinMichael‘sGIACGCFWProjectAssignment

Page 14

simplicityasthekeytosuccessfulfirewallimplementation

1

.

Inordertomakesimplerulebasepossible,wemustdividethedefenseworkinto

piecesandhavethesepiecesdistributedamongmultiplefirewalls.Witheachfirewall

enforcingasmallersubsetoftheoverallpolicies,thefollowingbenefitscanbe

achieved:

n Reducethecomplexityofeachrulebase.

n Reducethechanceofmisconfigurationandruleconflictsineachrulebase.

n Reducetherulebaseprocessingoverheadoneachfirewall.

n Eliminatesinglepointoffailure.

n Easytroubleshooting.

n Scalability.

Theabovebenefitscannotbeobtainedwithoutpayingaprice.Thetradeoffsare:

n Additionalhardwarehavetobepurchased.

n Additionalmaintenanceworksareexpected.

n Itcanbearguedthatthemorehardwareinvolved,thehighertheprobabilityof

hardwarefailureleadingtonetworkdowntime.

n Somesecurityadministratorsfearthattheword“simplicity”meansinferior

technicalskills.

Therearealwaystradeoffs.Idecidedtogoforadesignwhichadvocates

Simplicity.Inmydesign,Itriedtohaveasfewrulesaspossiblebeingenforcedat

eachfirewall.

IPInfrastructure

Oncethetechnicalrequirementshavebeen defined,theGIACnetworkissegmented

intomultiplesubnetsforprotectionunderdifferentfirewallsatdifferentlayers.

1

http://www.enteract.com/~lspitz/rules.html

1 2 ... 9 10 11 12 13 14 15 16 17 18 19 ... 208 209

Žádné komentáře

Eicon Networks S92 Uživatelský manuál Strana 14