RE: [fw-wiz] Multiple firewalls from different manufactureres
From: Hurst, Dave (dhurst_at_lisletech.com)
Date: 01/28/05
- Previous message: Devdas Bhagat: "Re: [fw-wiz] Application-level Attacks"
- Maybe in reply to: Shimon Silberschlag: "[fw-wiz] Multiple firewalls from different manufactureres"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Reply: Paul D. Robertson: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Fri, 28 Jan 2005 13:40:28 -0600
Kevin Kadow wrote:
> > I still try to at least get a screening router up front that does
have a
> > different packet filtering implementation (so I don't generally use
green
> > firewalls.) To me, it's a matter of not designing easy to fail
> > infrastructure.
>
> At a minimum, a screening router in front of any firewall makes a lot
of sense,
> and recently I've started to deploy screening routers on the inside to
filter
> default route outbound traffic.
[...]
> > With two devices, you have the chance to catch configuration
failures, not
> > just implementation failures. If possible, it's nice to have two
> > different groups handling each piece in coordination, so that you
have to
> > have two people co-opted to start punching holes, especially
> > admin-installed backdoors.
[...]
> Deploying multiple different types of security device in series adds
cost,
> complexity, and failure modes. Managing the infrastructure requires
> more staff with more diverse skills, and the coordination required to
> "punch holes" will increase the effort and delay when changes are
> legitimately required.
[...]
> > Do you see such setups implemented? Or does most setups include a
> > single FW with multiple DMZs, connected directly to the internal
network?
>
> I see a lot of setups where multiple firewalls from different
manufacturers
> are deployed, in parallel.
I certainly agree that multiple devices, be they firewalls, routers, or
whatever, layered to provide defense in depth provides a more secure
network. Do people have any sense for how often organizations actually
follow this best practice? Or is it considered too complex and too
difficult to manage effectively, i.e. one firewall is "good enough" so
it's just left at that?
--DaveH "Be Excellent to each other!"
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Devdas Bhagat: "Re: [fw-wiz] Application-level Attacks"
- Maybe in reply to: Shimon Silberschlag: "[fw-wiz] Multiple firewalls from different manufactureres"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Reply: Paul D. Robertson: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
