Re: [fw-wiz] Multiple firewalls from different manufactureres

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 01/26/05

  • Next message: Jose Hidalgo Herrera: "[fw-wiz] NAT for public IPs"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 27 Jan 2005 02:54:00 +0530
    
    

    On 26/01/05 18:23 +0200, Shimon Silberschlag wrote:
    > Hello Group,
    >
    > In the past, I used to hear the recommendation that an internet facing
    > firewall setup should include at least 2 firewalls from different
    > manufacturers. The reasoning behind it was that if you had a fatal
    > vulnerability in one of them, one that could enable an attacker to "own" the
    > first, the second one will resist a similar attack.
    >
    > Today, when attacks are shifting towards using the already open ports on the
    > firewall, at the application level, do you think that such a setup is still
    > mandatory and/or recommended? Do you see such setups implemented? Or does

    Attacks have almost always been at the application layer. The exceptions
    have mostly been DoS attacks which can exploit vulnerability in an IP
    stack implementation to bring down a host or router.

    Packet filters worked well enough when it was possible to lock out
    external networks from accessing any important services (no web enabled
    database applications, so a whole class of SQL injection attacks was
    avoidable from the open Internet, etc).

    IMHO, rather than using multiple firewalls, I would use a strong policy,
    filesystem ACLs, proxies, and a less common system for my packet
    filtering edge system (OpenBSD, or FreeBSD most likely). A different OS on
    the proxies, servers and firewalls helps, but it is up to the
    organisation to determine if the added benefits are worth the cost.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jose Hidalgo Herrera: "[fw-wiz] NAT for public IPs"

    Relevant Pages

    • Re: [fw-wiz] Multiple firewalls from different manufactureres
      ... I used to hear the recommendation that an internet facing ... > firewall setup should include at least 2 firewalls from different ... > firewall, at the application level, do you think that such a setup is still ...
      (Firewall-Wizards)
    • Re: Tools/Software Toolkits
      ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... > login pages, dynamic content etc. Firewalls, SSL and locked-down servers are ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: nmap results
      ... Is these sequential ports udp or tcp, and if u r scaning against a firewall? ... Audit your website security with Acunetix Web Vulnerability Scanner: ... login pages, dynamic content etc. Firewalls, SSL and locked-down servers are ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: How to choose an IDS/FW MSS provider
      ... detect attacks by inspecting layer 3 headers for prohibited IP ... Layer 4 firewalls detect ... facility with an IDS or IPS deployed. ...
      (Focus-IDS)
    • Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?
      ... I was just reading up on fragmentation attacks using ... since almost all firewalls both ... buy it or download a solution FREE today! ...
      (Pen-Test)