Partner site firewalls - second line of defence required?

Unanswered Question
Feb 11th, 2009
User Badges:

Good afternoon (or morning depending where in the world you are).

Can anyone help me with the following?

We have a requirement to implement connectivity to a number of partner sites from a number of our satellite sites. Traffic will be varied but will include data and voice . We will be implementing a router/firewall at each partner site for connectivity and security which will be contolled by us. My concern is in the unlkely event that the security at a partner site is compromised our network would be open.

Would anyone in the same situation also implement a firewall at each of the satellite sites as a second layer of defence, implement a simple ACL or view the security implemented at the partner sites as appropriate? It's an open question but I'd be interested to hear other's opinion.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
eddie.mitchell@... Wed, 02/11/2009 - 06:38
User Badges:
  • Silver, 250 points or more

I would definitely not recommend simply relying on router ACL's for perimeter protection. In the most simplistic network architecture, I would have the router terminating the WAN connection from the ISP and a dedicated firewall appliance such as an ASA providing the security.

Hope this helps.

ddavenport-dcc Wed, 02/11/2009 - 07:03
User Badges:

Thanks for your response. This is not connected in any way to a public network. It is facilitated through direct connections between sites on a hub and spoke basis. There will be an ASA or IOS firewall located at each partner site protecting our core network. The issue is that if this perimeter is compromised, as at partner sites our equipment will be potentially accessible by a third party (a trusted third party admittedly), then without a second line of defence then we may be vulnerable. The question is as we already have a first line of defence in the firewall at the partner site (which will be managed by us but is out of our physical control) should a second line of defence be another firewall or would an ACL do. I guess the other way to do it would be to implement a router at partner sites with an ACL as a first line and implement an ASA at each of our satallite sites as a second line of defence.

eddie.mitchell@... Wed, 02/11/2009 - 07:12
User Badges:
  • Silver, 250 points or more

I would also consider having IDS protection at each partner site observing the inbound traffic from each of the satellite sites.

ddavenport-dcc Wed, 02/11/2009 - 23:45
User Badges:

Thanks for the information eddie. I agree and IPS will be part of the solution


This Discussion