RE: [fw-wiz] Screening Router as a firewall
From: Steve Fletcher (safletcher_at_insightbb.com)
Date: 03/24/05
- Previous message: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Screening Router as a firewall"
- In reply to: Shimon Silberschlag: "[fw-wiz] Screening Router as a firewall"
- Next in thread: jfvanmeter_at_comcast.net: "Re: [fw-wiz] Screening Router as a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Shimon Silberschlag'" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 24 Mar 2005 16:00:19 -0600
Personally, I would go with the two "traditional" firewalls, in addition to
ACL's on the router to block traffic that should definitely not be coming in
over the Internet, such as private (RFC1918), loopback, and multicast
addresses.
As for the make and model of the routers, I have never been a firm believer
in having two different brands. I can see where that might be useful in
some cases, but for hardware firewalls such as the Cisco PIX, I just have
not seen enough evidence of major problems to warrant that.
That being said, I see no reason my ISA2004 could not be used as the second
firewall. The company I work for has a lot of customers who are doing just
that. While I would not want to rely on ISA as my only line of defense, or
even my first line of defense, as a second level of security, I think it
works pretty well. Plus, you get extra capabilities that are nice, such as
caching of web pages.
Just my $.02 worth.......
Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher@insightbb.com
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Shimon
Silberschlag
Sent: Thursday, March 24, 2005 7:38 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Screening Router as a firewall
Hello group,
Having a request for at least 2 firewalls protecting internet connectivity,
would you consider a border router with ACLs as the first firewall, or would
you demand to implement ACLs on the router and 2 other "traditional"
firewalls?
If you select the first option, would simple "packet filter" type ACLs
suffice, or would you demand "stateful" ACLs?
(I believe Cisco calls its implementation CBAC).
If you select the second option, would you demand that the 2 firewalls be of
different brand, different technology or can they be the same product?
Can ISA2004 serve as the second, internal facing firewall? Anyone using it
as such?
TIA,
Shimon Silberschlag
+972-3-9351572
+972-50-7207130
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: vbwilliams_at_neb.rr.com: "Re: [fw-wiz] Screening Router as a firewall"
- In reply to: Shimon Silberschlag: "[fw-wiz] Screening Router as a firewall"
- Next in thread: jfvanmeter_at_comcast.net: "Re: [fw-wiz] Screening Router as a firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
