Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Dave Piscitello <dave () corecom com>
Date: Thu, 25 May 2006 13:39:51 -0400

Robert A Beken wrote:
I have a question for the group about this new trend of using a single firewall for all IDS and Firewall related tasks in an integrated box for enterprise organizations (not SOHO). I personally think it's a bad idea and lacks flexibility in configuration and "defense in depth" posture towards security. What are other people's thoughts?

Most midrange enterprise firewalls have some IPS, some have this as well
as AV, antispam, antispyware.  Firewall/IPS vendors can't compete in the
global 2000 market unless they integrate such features and so you aren't
going to see many "pure play" firewalls.

You can still have DiD. You do so by deploying multiple and diverse
security services where they are most effective in enforcing policy.

For example, I can configure an Internet-facing security appliance to
handle DDoS and network threats. Behind this, on a trusted segment where
I have web/application servers, I can put a security appliance that
examines http streams and protects my servers from input validation, sql
injection and other application level attacks. On a separate trusted
segment/VLAN where I connect clients, I can put a security appliance
that that proxies HTTP and handles URL filtering and strips content that
is disallowed by policy. The security appliance protecting the client
LAN/VLANs might also perform gateway antispyware, antispam and AV.

Several *security appliances* support all these security services. So I
could use the same appliance in different locations in my network in a
DiD configuration, and have a common management platform. How much more
flexibility do you want?

The myth you need to help debunk is this: the fact that all the security
services your organization might require are bundled into a single
security appliance shouldn't lead you to conclude that you can satisfy
all your security policy objectives at a single location, using a single

Attachment: dave.vcf

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]