On 26/01/05 18:23 +0200, Shimon Silberschlag wrote:
> Hello Group,
>
> In the past, I used to hear the recommendation that an internet facing
> firewall setup should include at least 2 firewalls from different
> manufacturers. The reasoning behind it was that if you had a fatal
> vulnerability in one of them, one that could enable an attacker to "own" the
> first, the second one will resist a similar attack.
>
> Today, when attacks are shifting towards using the already open ports on the
> firewall, at the application level, do you think that such a setup is still
> mandatory and/or recommended? Do you see such setups implemented? Or does
Attacks have almost always been at the application layer. The exceptions
have mostly been DoS attacks which can exploit vulnerability in an IP
stack implementation to bring down a host or router.
Packet filters worked well enough when it was possible to lock out
external networks from accessing any important services (no web enabled
database applications, so a whole class of SQL injection attacks was
avoidable from the open Internet, etc).
IMHO, rather than using multiple firewalls, I would use a strong policy,
filesystem ACLs, proxies, and a less common system for my packet
filtering edge system (OpenBSD, or FreeBSD most likely). A different OS on
the proxies, servers and firewalls helps, but it is up to the
organisation to determine if the added benefits are worth the cost.
Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 28 2005
Intro
