RE: [fw-wiz] Multiple firewalls from different manufactureres
From: Hurst, Dave (dhurst_at_lisletech.com)
To: "'firstname.lastname@example.org'" <email@example.com> Date: Fri, 28 Jan 2005 13:40:28 -0600
Kevin Kadow wrote:
> > I still try to at least get a screening router up front that does
> > different packet filtering implementation (so I don't generally use
> > firewalls.) To me, it's a matter of not designing easy to fail
> > infrastructure.
> At a minimum, a screening router in front of any firewall makes a lot
> and recently I've started to deploy screening routers on the inside to
> default route outbound traffic.
> > With two devices, you have the chance to catch configuration
> > just implementation failures. If possible, it's nice to have two
> > different groups handling each piece in coordination, so that you
> > have two people co-opted to start punching holes, especially
> > admin-installed backdoors.
> Deploying multiple different types of security device in series adds
> complexity, and failure modes. Managing the infrastructure requires
> more staff with more diverse skills, and the coordination required to
> "punch holes" will increase the effort and delay when changes are
> legitimately required.
> > Do you see such setups implemented? Or does most setups include a
> > single FW with multiple DMZs, connected directly to the internal
> I see a lot of setups where multiple firewalls from different
> are deployed, in parallel.
I certainly agree that multiple devices, be they firewalls, routers, or
whatever, layered to provide defense in depth provides a more secure
network. Do people have any sense for how often organizations actually
follow this best practice? Or is it considered too complex and too
difficult to manage effectively, i.e. one firewall is "good enough" so
it's just left at that?
--DaveH "Be Excellent to each other!"
firewall-wizards mailing list