Re: [fw-wiz] Multiple firewalls from different manufactureres

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/26/05

  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
    To: Shimon Silberschlag <shimons@bll.co.il>
    Date: Wed, 26 Jan 2005 16:04:28 -0500 (EST)
    
    

    On Wed, 26 Jan 2005, Shimon Silberschlag wrote:

    > Hello Group,
    >
    > In the past, I used to hear the recommendation that an internet facing
    > firewall setup should include at least 2 firewalls from different
    > manufacturers. The reasoning behind it was that if you had a fatal
    > vulnerability in one of them, one that could enable an attacker to "own" the
    > first, the second one will resist a similar attack.

    That wasn't the only rationale for not having a single layer of failure...

    > Today, when attacks are shifting towards using the already open ports on the
    > firewall, at the application level, do you think that such a setup is still
    > mandatory and/or recommended? Do you see such setups implemented? Or does
    > most setups include a single FW with multiple DMZs, connected directly to
    > the internal network? Perhaps the screened subnet variety with 2 FW, but the
    > same brand, is the most popular?

    I still try to at least get a screening router up front that does have a
    different packet filtering implementation (so I don't generally use green
    firewalls.) To me, it's a matter of not designing easy to fail
    infrastructure.

    With two devices, you have the chance to catch configuration failures, not
    just implementation failures. If possible, it's nice to have two
    different groups handling each piece in coordination, so that you have to
    have two people co-opted to start punching holes, especially
    admin-installed backdoors.

    With commodity pricing on firewalls, it's really a question of "what do
    you have to lose?"

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Multiple firewalls from different manufactureres"