Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Thu, 25 May 2006 15:42:07 -0400

At 12:11 PM 24/05/2006, Robert A Beken wrote:

I have a question for the group about this new trend of using a single 
firewall for all IDS and Firewall related tasks in an integrated box for 
enterprise organizations (not SOHO).  I personally think it's a bad idea 
and lacks flexibility in configuration and  "defense in depth" posture 
towards security.  What are other people's thoughts?

Hey Robert!

In the end, embedding security functionality into the network is inevitable and necessary.  As has been said eloquently 
by others on the thread, the real question is "at what point is it a good idea to integrate Security Function X with 
Function Y?".  This depends on detail of the discreet application and the vendor offerings at that time.

In short: we've crossed over the boundary wherein it was always best to separate security activities from each other as 
well as non-security functions, but we have not yet reached the state where integrated functionality is typically an 
obvious winner.

You need to weigh the specific bits of desired functionality for different applications on your network to determine 
whether a dedicated or hybrid solution is correct.  You need to do this in the primary context of the amount of 
resources available to you (and if that is an infinite amount, you don't need our help... ;~).  IMO, the current PIX 
("ASA" my fanny) is pretty good and the ISR idea (one sheetmetal box with multiple purpose-built hardware modules) is a 
solid concept showing some early positive applications.

With those thoughts in mind, I suggest looking at the management infrastructure as the biggest single gain in security 
for resources spent.  None of this stuff makes much difference in the end if you can't  see what it's doing.



No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]