Re: [fw-wiz] How should an Internet connection/firewall be designed?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Jan 2007, AMuse wrote:


How many companies have two serial firewalls from different vendors?



How many companies have an IPS/deep-packet-inspection device between the
firewall and the border router?

How many companies still use IDS?

How many companies have some form of deep packet inspection device in
front of their DMZ web servers? What do they use?


My guess to all four questions above would be "Few small companies, some
medium sized companies, many large companies and very many government
agencies".


It seems like the added complexity and multiple devices will increase
management costs and may actually decrease security and reliability.
Our current design may be rather simple but in over 12 years we have had
less than a couple of hours of down time and have not had a detected
breakin to our internal network.

In general, I believe all added complexity increases management costs
and, if poorly managed, may decrease security and reliability. The
question is what is your budget, what's the trade-offs between security
and availability, and what is the data worth to you compared to the above?

Incidentally, not having a detected break-in to the internal network is
not a great yardstick for how good your security is. For instance, a
small company with no analysts might have a dozen attackers rootkitting
them and not know it. :)



I find that the lack of mention in many such posts and requests like this
these days do not even mention the best, oldest, and cheapest of network
based IPS systems, the screening router....I guess in these days of
consolidated appliances worth hugh budgets that simple, sweet, and fairly
inexpensive to setup and maintain is no longer kosher.




Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFsTBhst+vzJSwZikRAtymAKCv6hgkALfFdZ9yEST6mjSRoxVXYACeKKn8
zpkC8OrXK6xd+1tIvdQg7ZU=
=04LJ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Inline firewalls vs. Inline firewalls "spaced out"
    ... You internal network should only be able to talk outwards, ... the first design. ... a third firewall has to be compromised. ... > greater security to your web boxes than the first design. ...
    (Security-Basics)
  • Re: Exchange server in DMZ, not FE server. Is this ever ok?
    ... It will turn out that it doesn't add value in terms of security ... If I hear you as saying having a firewall present is without value, ... NICs - one for the internal network, and the other for the DMZ. ...
    (microsoft.public.security)
  • RE: Vulnerability analysis tools
    ... Yes definitively you should put a real Firewall before your ... but I wouldn't bet my right hand on his security and his packet ... 1- A web server hosted at an IDC ... internal network. ...
    (Security-Basics)
  • hardware firewall vs software firewall
    ... I've long been a believer that a hardware firewall with a corresponding ... private IPs inside. ... McAfee Internet Security Suite or Panda Platinum Security employed for ... internal network secure? ...
    (comp.security.firewalls)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)