Firewall Wizards: RE: Multiple firewalls from different manufactureres

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

RE: Multiple firewalls from different manufactureres

From: "Hurst, Dave" <dhurst () lisletech com>
Date: Fri, 28 Jan 2005 13:40:28 -0600

Kevin Kadow wrote:

I still try to at least get a screening router up front that does

have a

different packet filtering implementation (so I don't generally use

green

firewalls.)  To me, it's a matter of not designing easy to fail
infrastructure.


At a minimum, a screening router in front of any firewall makes a lot

of sense,

and recently I've started to deploy screening routers on the inside to

filter

default route outbound traffic.

[...]

With two devices, you have the chance to catch configuration

failures, not

just implementation failures.  If possible, it's nice to have two
different groups handling each piece in coordination, so that you

have to

have two people co-opted to start punching holes, especially
admin-installed backdoors.

[...]

Deploying multiple different types of security device in series adds

cost,

complexity, and failure modes.  Managing the infrastructure requires
more staff with more diverse skills, and the coordination required to
"punch holes" will increase the effort and delay when changes are
legitimately required.

[...]

Do you see such setups implemented? Or does most setups include a
single FW with multiple DMZs, connected directly to the internal

network?


I see a lot of setups where multiple firewalls from different

manufacturers

are deployed, in parallel.


I certainly agree that multiple devices, be they firewalls, routers, or
whatever, layered to provide defense in depth provides a more secure
network.  Do people have any sense for how often organizations actually
follow this best practice?  Or is it considered too complex and too
difficult to manage effectively, i.e. one firewall is "good enough" so
it's just left at that?  

--DaveH         "Be Excellent to each other!"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

RE: Multiple firewalls from different manufactureres, (continued)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
  - Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 28)
- RE: Multiple firewalls from different manufactureres Hurst, Dave (Jan 28)
  - RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- RE: Multiple firewalls from different manufactureres Behm, Jeffrey L. (Jan 28)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
  - RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)