Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

hi robert i feel there is a good need for integrated appliance. i feel even fortinet is a good box just like netscreen having ips,firewall,anti-virus. url-filtering and anti-spam in one single box. ssg series i am not sure does it provide entire ssl and idp functionality. i guess checkpoint is the sole one right now having complete unified architecture with complete endpoint security which both cisco and netcreen lacks. i feel it's high time that juniper launches a complte integrated box with complete firewall,idp and ssl solution in one box and also probably with a anti-virus hardware card like cisco asa supports for scanning at wirespeeds. just my views.
see ya



Johann_van_Duyn@xxxxxxx wrote: Hi, Robert et al...

I initially objected to the notion of all-in-one appliances too, but the
complexity and architectural inelegance of having 3-5 gateway security
boxes chained together (FW + IDS/IPS + inline AV + URL/Content Filter +
VPN) convinced me to eventually champion a migration to Symantec's SGS
5460 units in one of our largest operating centres at the end of 2003. The
operating centre's management and I have been very impressed, as have the
pen-testers employed from time to time to try breaking the gateway.

Nice balance of "default deny" at the firewall, augmented by a "default
permit" scanning layer (AV + IPS + URL/CF) just behind it, all in the same
box. The latest units, SGS 5660 and family, rock! And I want a new "baby"
SGS (1620 and 1660) for my home... full-featured except for some
limitations on SSL VPN, they're way cool and quite cheap to boot.

Using the latest software version (SGS 3.x), the units provide proxy FW,
IDS/IPS, AV, URL and Content Filtering, IPSec VPN and SSL VPN, and do so
very respectably, doing exactly what it says on the tin. In fact, that
operating centre generally laughs at the rest of the company whenever a
major worm strikes, and sometimes smugly phone up and ask whether we need
assistance. They use the SGS units between themselves and the Internet,
3rd parties AND the rest of the company! :-)

Integration of the various capabilities is fairly good if not immediately
intuitive, but some people balk at the amount of detail included in the
logs, and the way they are presented. Detailed, but not too pretty! (Great
for troubleshooting and figuring out what the device is getting up to,

Having moved to a location where we have a different gateway
infrastructure, I really appreciate the peace of mind that the SGS used to
give me, and the confidence with which we used to connect to 3rd parties
and allow inbound connections. "UTM" devices, once you edit out all the
marketing cr@p and get down to real-world performance and capabilities,
are rightly the wave of the future, but the performance hit that results
from turning on all the scanning features will keep them off high-speed
backbones for a while yet... and sadly there is still a "performance
stigma" against proxy firewalls, greatly undeserved of late.

Also, beware the corner-cutting that some UTM providers do: some use
limited AV signature sets, others use "optimized" IPS signature sets,
while others fall over if you switch all the features on in an operational
environment. I have to protect factories and labs that run expensive,
salary-critical equipment managed by operating systems that some of us
remember out of our youthful days (DOS, CP/M, Win3.1) that cannot be
fiddled with or updated without losing support from the manufacturer... to
protect these, I need full AV and IPS signature sets and a decent proxy,
nothing less. In 2003, SGS was the only UTM device to provide all of that
in one box; today, I would still choose the same family of appliances
based on my experience with them.

As for flexibility and defense in depth, you need to balance that out
against the manageability and architectural simplicity offered by UTM
devices. If you don't want the IPS/AV/whatever functionality, you don't
have to license it. But managing disparate systems can be a pain, and they
don't all play together nicely. With the proxy FW, AV and IDS/IPS included
in the SGS, I believe that one gets a pretty good protection profile, and
adding separate IDS/IPS and/or inline AV to the mix instead of those built
in doesn't yield much benefit at the cost of elegance, manageability and
simplicity... but YMMV.

Caveat: adding a proxy firewall to a gateway is likely to highlight a
number of cases where applications (in-house and shrink-wrap) disobey
published RFCs for the protocols they use, or otherwise behave badly. This
may lead to "words" between IT Security folks and their other IT or
business colleagues, or external suppliers. Ranum rants about this on the
list often enough and more eloquently than I can, so I won't. :-)

That's my �0.02 worth, anyway.

Johann van Duyn

24/05/2006 17:11
Robert A Beken
Sent by: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx

Please respond to
Firewall Wizards Security Mailing List


[fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

I have a question for the group about this new trend of using a single
firewall for all IDS and Firewall related tasks in an integrated box for
enterprise organizations (not SOHO). I personally think it's a bad idea
and lacks flexibility in configuration and "defense in depth" posture
towards security. What are other people's thoughts?

Thanks and Regards,

Robert Beken CISSP, GCFW
firewall-wizards mailing list

Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient.
Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message.
If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.
firewall-wizards mailing list

Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates._______________________________________________
firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
    ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
  • Re: [fw-wiz] dirty packet tricks?
    ... solve via promiscuously sucking up packets. ... restriction that your 'sideways' proxy box is it will have to be on a hub ... The firewall will have to suppress all ICMP errors to the internal network ...
  • Re: [fw-wiz] httport 3snf
    ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ...
  • Re: Kids bypassing firewall via web proxy sites
    ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ...
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ...