[fw-wiz] How should an Internet connection/firewall be designed?

We have always had a firewall on our Internet connection. We went from
home grown, to fwtk (Thanks Marcus) and then a commercial system with
snort IDS outside, on the DMZ and inside the firewall. We have always
had very tight access controls. Few ports open to our DMZ, even fewer
to our internal network that require one-time-passwords and restricted
access to the Internet that must be approved by security. Now we have
been told to upgrade/modify our Internet connection with new firewalls,
IPS and deep packet inspection devices.. I would appreciate information
on what are considered common practices.

How many companies have two serial firewalls from different vendors?

How many companies have an IPS/deep-packet-inspection device between the
firewall and the border router?

How many companies still use IDS?

How many companies have some form of deep packet inspection device in
front of their DMZ web servers? What do they use?

It seems like the added complexity and multiple devices will increase
management costs and may actually decrease security and reliability.
Our current design may be rather simple but in over 12 years we have had
less than a couple of hours of down time and have not had a detected
breakin to our internal network.

I would appreciate any comments.

Thank you,

Dave Kaas
firewall-wizards mailing list

Relevant Pages

  • Re: avast
    ... > Just did a clean installation of xp pro sp1 and download 'avast anti ... Did you firewall before connecting to the internet? ... Internet and patch with the critical updates? ... Why you should use a computer firewall.. ...
    ... Did you have a firewall going before connecting to the internet? ... Microsoft has these suggestions for Protecting your computer from the ... Why you should use a computer firewall.. ... are pay - some you can only download if you are registered - but it is best ...
  • Re: Guide to secure installtion of IIS 5
    ... don't forget a well-configured firewall. ... Do not put the computer onto the network or the Internet until after the ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
  • Re: Security Alerts Driving Me INSANE!
    ... The only reason, really, that you need a firewall and antivirus software is ... because you use the Internet with your computer. ... cleaned up and considered a hardware upgrade or three. ...
  • RE: firewall
    ... You need to do a lot of reading about ipfw ... IPFW is the only firewall available to FBSD, ... rules do not function correctly on a DSL or cable internet ... @320 pass in quick on rl0 proto tcp from to any port ...