Re: [fw-wiz] Multiple firewalls from different manufactureres

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/26/05

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
    To: Shimon Silberschlag <shimons@bll.co.il>
    Date: Wed, 26 Jan 2005 16:04:28 -0500 (EST)
    
    

    On Wed, 26 Jan 2005, Shimon Silberschlag wrote:

    > Hello Group,
    >
    > In the past, I used to hear the recommendation that an internet facing
    > firewall setup should include at least 2 firewalls from different
    > manufacturers. The reasoning behind it was that if you had a fatal
    > vulnerability in one of them, one that could enable an attacker to "own" the
    > first, the second one will resist a similar attack.

    That wasn't the only rationale for not having a single layer of failure...

    > Today, when attacks are shifting towards using the already open ports on the
    > firewall, at the application level, do you think that such a setup is still
    > mandatory and/or recommended? Do you see such setups implemented? Or does
    > most setups include a single FW with multiple DMZs, connected directly to
    > the internal network? Perhaps the screened subnet variety with 2 FW, but the
    > same brand, is the most popular?

    I still try to at least get a screening router up front that does have a
    different packet filtering implementation (so I don't generally use green
    firewalls.) To me, it's a matter of not designing easy to fail
    infrastructure.

    With two devices, you have the chance to catch configuration failures, not
    just implementation failures. If possible, it's nice to have two
    different groups handling each piece in coordination, so that you have to
    have two people co-opted to start punching holes, especially
    admin-installed backdoors.

    With commodity pricing on firewalls, it's really a question of "what do
    you have to lose?"

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Multiple firewalls from different manufactureres"

    Relevant Pages

    • Re: Antivirus and Firewall Protection
      ... update deals last. ... Now firewalls, that's a different story. ... Easy to setup, never had a problem. ... On the ZA forum, Don Hoover ...
      (microsoft.public.windowsxp.general)
    • Re: Speichern von Kreditkartendaten
      ... > in einem eigenen lokalen Netz. ... Setup anglotzt. ... Du verwechselst Personal Firewalls mit Firewalls; ... Next by Date: ...
      (de.comp.security.misc)
    • Re: [fw-wiz] Multiple firewalls from different manufactureres
      ... I used to hear the recommendation that an internet facing ... > firewall, at the application level, do you think that such a setup is still ... Attacks have almost always been at the application layer. ... IMHO, rather than using multiple firewalls, I would use a strong policy, ...
      (Firewall-Wizards)
    • Re: DMZ for logging
      ... weak understanding of what happens at firewalls, ... idea is something I could setup with iptables. ... get in using whatever kinds of packets. ... So in general you are running/maintaining your own iptables setup right? ...
      (comp.os.linux.networking)
    • Re: Choosing a Firewall
      ... > firewalls. ... We currently have a PIX 506e and seem to be running into some ... If you need to setup PPTP to the firewall, WG makes it simple to setup ... If you need branch-office ipsec dedicated tunnels, ...
      (comp.security.firewalls)