Re: [fw-wiz] (no subject)
From: broyds@rogers.com
Date: 11/06/02
- Next message: Moody, Thomas (Contractor) (DDC): "RE: [fw-wiz] Re: Interlopers on the WLAN"
- Previous message: Cox, Michael: "RE: [fw-wiz] Interlopers on the WLAN"
- Maybe in reply to: Dean Pullen: "[fw-wiz] (no subject)"
- Next in thread: Noonan, Wesley: "RE: [fw-wiz] (no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: <broyds@rogers.com> To: <LazloCarreidas@netscape.net>, <firewall-wizards@honor.icsalabs.com> Date: Wed Nov 6 11:58:18 2002
Two firewalls can be more secure, but not if they are really of the same type such as Checkpoint (although FW-1/NG has more proxy capabilities) and Pix , which are stateful inspection.
I would have the outer facing one be a stateful firewall like Pix (or FW-1) for its speed and robustness under load and the inner one by an application gateway like Gauntlet, Symantec, even Microsoft ISA.
Your DMZ would be connected to the segment in between so its traffic would be firewalled but without the latency that an ALG creates. If your internal network has many MS Windows desktops, this would help enforce policy at L7 for desktop users.
>
> From: LazloCarreidas@netscape.net
> Date: 2002/11/06 Wed AM 07:02:09 EST
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] (no subject)
>
> Hi.
>
> My company is considering installing two firewalls in serie, i.e. to have
> two layers of defense. We would use CheckPoint NG and Cisco PIX (we do not
> use OpenSource, etc...)
>
> Here are some key design points:
> * NG would be the first defense line, i.e. connected to the Internet.
> It will allow to use CheckPoint VPN for external users, plus
> firewalling
> * PIX would be the second one.
> It will do the NATting, plus firewalling
> * We need DMZ capabilities
> To do that, we are considering several possibilities:
> - connect the DMZ to the NG only;
> - connect the DMZ to the PIX only;
> - have a "shared" DMZ, i.e. one based on two subnets (each
> connected to a firewall), and where some machines have dual
> interfaces (no routing between them, of course) when needed;
> - have two DMZes, each connected to a firewall.
>
> I would like to have your comments on these proposals.
>
> For example, we are wondering if having two layers of firewalls is really
> more secure, even if less manageable.
> We are also interested to know your experiences, the hidden culprits, the
> obvious flaws, etc...
>
> Thanks a lot to you...
>
> Lazló
>
>
> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp
>
> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
- Next message: Moody, Thomas (Contractor) (DDC): "RE: [fw-wiz] Re: Interlopers on the WLAN"
- Previous message: Cox, Michael: "RE: [fw-wiz] Interlopers on the WLAN"
- Maybe in reply to: Dean Pullen: "[fw-wiz] (no subject)"
- Next in thread: Noonan, Wesley: "RE: [fw-wiz] (no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
