Firewall sandwiches are worthy of consideration based upon recent revelations about firewall backdoors as well as human error and frankly different intelligence feeds that different firewall IPS solutions use.
In light of recent revelations about backdoors and weakened VPN encryption, it is time to reconsider approaches from the past before we relied so heavily on single solutions.
In the earlier days of firewalls there was a greater implied assumption that firewalls would have weaknesses or manufacturer specific exploits. In light of that consideration, more secure environments would tend to use different brands of firewalls and layer them (hence the sandwich) to key areas. At the time it was used more often for external/internal or external/DMZ combinations, but the technique applies even more today.
There are tradeoffs of course:
- Increased complexity
- Increased costs (more than one firewall)
- Two firewalls cannot strengthen poor policy decisions
There are some cyber security benefits:
- Better protection against zero day attacks by having two different solutions. if one is offering protection and one isn't, then in most cases you're still protected.
- Better protection against manufacturer specific backdoors and vulnerabilities (e.g. Juniper).
- Defense in depth augmentation (at least as it pertains to firewalls and potentially IDS/IDP).
- Two reviews of policies may uncover gaping holes just based upon a second review and/or the benefit of different implementation teams.
When doing a firewall sandwich, go even further by considering:
- While one layer is visible via layer 3 interfaces, not all need to be.
- Consider using one layer with virtual wire/transparent mode/bridged mode implementations to further hide the device and while still doing active blocking.
- Consider having another 3rd layer/brand involved on a span/mirror/sniffer port as an IDS implementation to gather a third review, in this case for detection.
- Consider a NAC solution that can also view traffic and do alerting based upon lateral traffic movement.
- Consider active bypass solutions to mitigate the risk of downtime with inline solutions