mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Thu, 25 May 2006 15:42:07 -0400
At 12:11 PM 24/05/2006, Robert A Beken wrote:
I have a question for the group about this new trend of using a single
firewall for all IDS and Firewall related tasks in an integrated box for
enterprise organizations (not SOHO). I personally think it's a bad idea
and lacks flexibility in configuration and "defense in depth" posture
towards security. What are other people's thoughts?
In the end, embedding security functionality into the network is inevitable and necessary. As has been said eloquently
by others on the thread, the real question is "at what point is it a good idea to integrate Security Function X with
Function Y?". This depends on detail of the discreet application and the vendor offerings at that time.
In short: we've crossed over the boundary wherein it was always best to separate security activities from each other as
well as non-security functions, but we have not yet reached the state where integrated functionality is typically an
You need to weigh the specific bits of desired functionality for different applications on your network to determine
whether a dedicated or hybrid solution is correct. You need to do this in the primary context of the amount of
resources available to you (and if that is an infinite amount, you don't need our help... ;~). IMO, the current PIX
("ASA" my fanny) is pretty good and the ISR idea (one sheetmetal box with multiple purpose-built hardware modules) is a
solid concept showing some early positive applications.
With those thoughts in mind, I suggest looking at the management infrastructure as the biggest single gain in security
for resources spent. None of this stuff makes much difference in the end if you can't see what it's doing.
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com