Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

Hi, Robert et al...

I initially objected to the notion of all-in-one appliances too, but the
complexity and architectural inelegance of having 3-5 gateway security
boxes chained together (FW + IDS/IPS + inline AV + URL/Content Filter +
VPN) convinced me to eventually champion a migration to Symantec's SGS
5460 units in one of our largest operating centres at the end of 2003. The
operating centre's management and I have been very impressed, as have the
pen-testers employed from time to time to try breaking the gateway.

Nice balance of "default deny" at the firewall, augmented by a "default
permit" scanning layer (AV + IPS + URL/CF) just behind it, all in the same
box. The latest units, SGS 5660 and family, rock! And I want a new "baby"
SGS (1620 and 1660) for my home... full-featured except for some
limitations on SSL VPN, they're way cool and quite cheap to boot.

Using the latest software version (SGS 3.x), the units provide proxy FW,
IDS/IPS, AV, URL and Content Filtering, IPSec VPN and SSL VPN, and do so
very respectably, doing exactly what it says on the tin. In fact, that
operating centre generally laughs at the rest of the company whenever a
major worm strikes, and sometimes smugly phone up and ask whether we need
assistance. They use the SGS units between themselves and the Internet,
3rd parties AND the rest of the company! :-)

Integration of the various capabilities is fairly good if not immediately
intuitive, but some people balk at the amount of detail included in the
logs, and the way they are presented. Detailed, but not too pretty! (Great
for troubleshooting and figuring out what the device is getting up to,
though.)

Having moved to a location where we have a different gateway
infrastructure, I really appreciate the peace of mind that the SGS used to
give me, and the confidence with which we used to connect to 3rd parties
and allow inbound connections. "UTM" devices, once you edit out all the
marketing cr@p and get down to real-world performance and capabilities,
are rightly the wave of the future, but the performance hit that results
from turning on all the scanning features will keep them off high-speed
backbones for a while yet... and sadly there is still a "performance
stigma" against proxy firewalls, greatly undeserved of late.

Also, beware the corner-cutting that some UTM providers do: some use
limited AV signature sets, others use "optimized" IPS signature sets,
while others fall over if you switch all the features on in an operational
environment. I have to protect factories and labs that run expensive,
salary-critical equipment managed by operating systems that some of us
remember out of our youthful days (DOS, CP/M, Win3.1) that cannot be
fiddled with or updated without losing support from the manufacturer... to
protect these, I need full AV and IPS signature sets and a decent proxy,
nothing less. In 2003, SGS was the only UTM device to provide all of that
in one box; today, I would still choose the same family of appliances
based on my experience with them.

As for flexibility and defense in depth, you need to balance that out
against the manageability and architectural simplicity offered by UTM
devices. If you don't want the IPS/AV/whatever functionality, you don't
have to license it. But managing disparate systems can be a pain, and they
don't all play together nicely. With the proxy FW, AV and IDS/IPS included
in the SGS, I believe that one gets a pretty good protection profile, and
adding separate IDS/IPS and/or inline AV to the mix instead of those built
in doesn't yield much benefit at the cost of elegance, manageability and
simplicity... but YMMV.

Caveat: adding a proxy firewall to a gateway is likely to highlight a
number of cases where applications (in-house and shrink-wrap) disobey
published RFCs for the protocols they use, or otherwise behave badly. This
may lead to "words" between IT Security folks and their other IT or
business colleagues, or external suppliers. Ranum rants about this on the
list often enough and more eloquently than I can, so I won't. :-)

That's my £0.02 worth, anyway.

Johann van Duyn




24/05/2006 17:11
Robert A Beken <beken@xxxxxxxxxx>
Sent by: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx



Please respond to
Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>


To
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
cc

Subject
[fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)






I have a question for the group about this new trend of using a single
firewall for all IDS and Firewall related tasks in an integrated box for
enterprise organizations (not SOHO). I personally think it's a bad idea
and lacks flexibility in configuration and "defense in depth" posture
towards security. What are other people's thoughts?

Thanks and Regards,


Robert Beken CISSP, GCFW
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_____________________________________________________________________
Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient.
Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message.
If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.
______________________________________________________________________
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Firewall advice required please
    ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
    (comp.security.firewalls)
  • RE: Firewall Hardware Recommendations
    ... I am not trying to one-up, but Watchguard Fireboxes Series (FB 500 to FB ... other security products .. ... Subject: Firewall Hardware Recommendations ... A SonicWall PRO 230 + VPN ...
    (Security-Basics)
  • Re: [fw-wiz] OT: vendors please respond
    ... On 26 Sep 2003, admin security Mehta wrote: ... I've seen somewhere north of 65 different commercial firewall products up ... need to start with a security policy and decide which technologies support ... You really want a VPN solution for VPN stuff if you have requirements to ...
    (Firewall-Wizards)
  • RE: [fw-wiz] VPN concentrators
    ... Depending on your VPN setup it can. ... security configurations upon clients. ... unless you can control what traffic goes into the tunnel at the ... you should still firewall the traffic that comes out of the ...
    (Firewall-Wizards)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)