Re: [fw-wiz] Multiple firewalls from different manufactureres

From: Paul D. Robertson (
Date: 01/28/05

  • Next message: Dave Piscitello: "Re: [fw-wiz] Application-level Attacks"
    Date: Fri, 28 Jan 2005 15:43:55 -0500 (EST)

    On Fri, 28 Jan 2005 wrote:

    > Why is it bad? We're looking at a manufacturer of those "all in one"

    Look at the parsing errors in say Ethereal plug-ins to see why code rate
    of change for decoding complex protocols is not a great thing.

    If you've got a single layer of failure with dynamic changes to its
    codebase on the outside of your network, then you're almost certain to
    have issues at some point.

    I sure wouldn't want to put one on the outside as my sole firewall.

    > firewalls: AV, IPS, VPN, content filtering. I see the IPS as sort of
    > a bonus that we can turn on if we want. I prefer a best of breed
    > approach with multiple devices, but upper mgmt wants easy
    > administration and fast implementation.

    If upper management is making operational decisions, you need to
    re-educate them as to their role. If your firewall is taking up enough
    time to be anything noticible administration-wise, then your rulesets are
    way too complex and your admins need to be re-educated ;)

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."
    firewall-wizards mailing list

  • Next message: Dave Piscitello: "Re: [fw-wiz] Application-level Attacks"