Re: [fw-wiz] How should an Internet connection/firewall be designed?

Kaas, David D wrote:

How many companies have two serial firewalls from different vendors?

Depends on size of organization or location, and exactly what purpose the firewalls serve in serial. I assume you are talking about choke-and-screen arrangements and Internet firewalls?

- Few/no small biz, small office have 2 of anything. Terminating broadband on a PPPoE capable firewall is what I recommend and I tell them to eBay the telco's router.
- Medium businesses that have large enterprise assets may have this arrangement. Here, I see more routers in the screen role and commercial firewall appliances in the choke role. The router is often as not Cisco and the firewall is often Netscreen/SonicWall/Watchguard.
- Large enterprises I've worked with are either Cisco shops or Cisco plus CheckPoint. Again, router with PIX is a "better screen" and Checkpoint is a choke and (ugh) integrated threat enforcement point.

Of course, if you are speaking to application level security, then I see (and recommend) more best of breed than "buy the UTM device and deploy it in serial, turning on the security measures where you think they are appropriately deployed".

How many companies have an IPS/deep-packet-inspection device between the
firewall and the border router?

I honestly don't see a lot of this and unless there's a specific DOS prevention issue, I don't see a lot of point in policing traffic that I expect my firewall to block.

How many companies still use IDS?

Depends on your use of the word "use" - lots still have IDS and IPS connected to networks. I suspect fewer meaningfully improve their security profile because they have dummied them down, or don't use what they monitor. I'm among the "A properly configured and administered firewall is often as good or better than IDS because it *is* IPS" radicals.

How many companies have some form of deep packet inspection device in
front of their DMZ web servers? What do they use?

It seems like the added complexity and multiple devices will increase
management costs and may actually decrease security and reliability.

Meh. We can argue all month over this. Depends on the available talent.

Our current design may be rather simple but in over 12 years we have had
less than a couple of hours of down time and have not had a detected
breakin to our internal network.

No comment.

I would appreciate any comments.

Thank you,

Dave Kaas
firewall-wizards mailing list

fn:David Piscitello
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

firewall-wizards mailing list

Relevant Pages

  • Re: Security discussion regarding hubs, firewalls, anti-virus and Vista Security
    ... router does this automatically; they only permit traffic that's in reply to some previous outbound request. ... What security protection should I expect from: ... a software firewall ... The reason I ask this is that I have a Linksys wireless hub with a WEP ...
  • RE: Home Security.
    ... Subject: Home Security. ... I would suggest using linux as your router. ... Other than that, as long as you set your firewall up right, you ...
  • Re: CIV4 Continued crashes
    ... > If you're running behind a router, ... > extra firewall security you're running is redundant with a router. ... Haven't had a single virus or malware or infection. ...
  • Re: web server + router on the same box
    ... It's hardly uncommon - many users put everything (router, firewall, ... Antenna on a cable is often bad news. ... Just pay attention to the security aspects. ...
  • Re: Just venting (totally OT)
    ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... not visiting dodgy Websites. ... The protection that it does supply is also provided by ...