RE: [fw-wiz] Multiple firewalls from different manufactureres

From: Hurst, Dave (dhurst_at_lisletech.com)
Date: 01/29/05

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Multiple firewalls from different manufactureres" 
    To: "'Paul D. Robertson'" <paul@compuwar.net>
Date: Fri, 28 Jan 2005 17:31:23 -0600

    On Fri, 28 Jan 2005, Paul Robertson wrote:
    > On Fri, 28 Jan 2005, Hurst, Dave wrote:
    >
    > > I certainly agree that multiple devices, be they firewalls, routers,
    or
    > > whatever, layered to provide defense in depth provides a more secure
    > > network. Do people have any sense for how often organizations
    actually
    > > follow this best practice? Or is it considered too complex and too
    > > difficult to manage effectively, i.e. one firewall is "good enough"
    so
    > > it's just left at that?
    >
    > Last I saw stats, over 70% of firewalls were either misconfigured or
    > poorly configured. I've seen everything from "Sure we have a
    firewall!
    > Over there in that box!" To "We have a firewall with two rules, drop
    this
    > specific bad thing and allow everything else." Most places I hit seem
    to
    > have an "Allow it all out" ruleset these days. If people can't get
    one
    > right, then two is going to be a miracle...

    That may be the case for some small shops, but I'm wondering if that's
    really the case for organizations that have more complex networks. If
    you're segmenting the network into subnets to isolate different parts of
    the organization or to contain mobile users, providing secure access for
    remote users, connecting geographically distributed locations with VPN
    links, providing extranet services to customers, or any of a dozen other
    things that are driving complexity in the network infrastructure these
    days, then deploying a just single firewall seems untenable.

    --DaveH "Be Excellent to each other!"
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Multiple firewalls from different manufactureres"

    Relevant Pages

    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
      (Firewall-Wizards)
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
      (Firewall-Wizards)
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
      (Security-Basics)
    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... but today's firewalls let too much stuff back ... > why people feel they need to compromise. ... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...
      (Firewall-Wizards)
    • Re: Linksys router as Firewall
      ... > There are many different levels of firewalls. ... acts as an interface between two networks (e.g., the Internet and an ... protecting the internal network from electronic attacks originating from ... filtering outgoing traffic for security and network usage rules ...
      (comp.security.firewalls)