Re: [fw-wiz] (no subject)

From: broyds@rogers.com
Date: 11/06/02 

From: <broyds@rogers.com>
To: <LazloCarreidas@netscape.net>, <firewall-wizards@honor.icsalabs.com>
Date: Wed Nov  6 11:58:18 2002

Two firewalls can be more secure, but not if they are really of the same type such as Checkpoint (although FW-1/NG has more proxy capabilities) and Pix , which are stateful inspection.
   I would have the outer facing one be a stateful firewall like Pix (or FW-1) for its speed and robustness under load and the inner one by an application gateway like Gauntlet, Symantec, even Microsoft ISA.
  Your DMZ would be connected to the segment in between so its traffic would be firewalled but without the latency that an ALG creates. If your internal network has many MS Windows desktops, this would help enforce policy at L7 for desktop users.

>
> From: LazloCarreidas@netscape.net
> Date: 2002/11/06 Wed AM 07:02:09 EST
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] (no subject)
>
> Hi.
>
> My company is considering installing two firewalls in serie, i.e. to have
> two layers of defense. We would use CheckPoint NG and Cisco PIX (we do not
> use OpenSource, etc...)
>
> Here are some key design points:
> * NG would be the first defense line, i.e. connected to the Internet.
> It will allow to use CheckPoint VPN for external users, plus
> firewalling
> * PIX would be the second one.
> It will do the NATting, plus firewalling
> * We need DMZ capabilities
> To do that, we are considering several possibilities:
> - connect the DMZ to the NG only;
> - connect the DMZ to the PIX only;
> - have a "shared" DMZ, i.e. one based on two subnets (each
> connected to a firewall), and where some machines have dual
> interfaces (no routing between them, of course) when needed;
> - have two DMZes, each connected to a firewall.
>
> I would like to have your comments on these proposals.
>
> For example, we are wondering if having two layers of firewalls is really
> more secure, even if less manageable.
> We are also interested to know your experiences, the hidden culprits, the
> obvious flaws, etc...
>
> Thanks a lot to you...
>
> Lazló
>
>
> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp
>
> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • SV: Firewall Basics
    ... based firewalls since having two PIX firewalls would leave you vulnerable to ... the same exploits if a hole in PIX was found. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
    (Security-Basics)
  • RE: [fw-wiz] Strange Pix behavior.
    ... I'm sure I've seen it on a single PIX 515E as recently as ... TCP protocols that have longer connection lives such as FTP or SSH. ... in a variety of firewalls, many of which were standalone systems. ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Appropriate PIX logging level
    ... the messages from the pix when it rejects a broadcast packet (I'm ... getting 43,000 log entries per day based on the firewalls rejecting ... If what you need is for the PIX to handle but not log certain policy events, ...
    (Firewall-Wizards)
  • Re: Choosing a Firewall
    ... > firewalls. ... We currently have a PIX 506e and seem to be running into some ... If you need to setup PPTP to the firewall, WG makes it simple to setup ... If you need branch-office ipsec dedicated tunnels, ...
    (comp.security.firewalls)
  • Re: internal firewall suggestions required
    ... There are noticable differences between the FWSM and PIX. ... VPN in a separate module is not a bad idea. ... Many of the other firewalls ...
    (comp.security.firewalls)