Re: Firewall Basics

[Miles Stevenson <mstevenson () sans org>]

Greetings Jennifer.

        I assume that your "service" network and your "production" network are not 
connected to each other, and you are wondering if you should use the same 
brand of firewall (Cisco PIX) for your new "service" network.

        It is true that there can be security gains from diversity. One of the 
biggest examples of this can been seen with the hords of Microsoft Windows 
related viruses and worms wreaking havoc on the entire internet from time to 
time, simply because so many people are using the same platform. As far as 
firewalls are concerened, there are some schools of thought who recommend 2 
layers of firewalls that are separate platforms (i.e., maybe putting a *nix 
based firewall behind your PIX firewall). The idea is that if there is a 
network stack vulnerability in one firewall, then the same vulnerability 
probably won't be found in the other. 

        I generally don't like this idea at all. One of the biggest reasons is that 
you now have to maintain 2 firewall rulesets in 2 different syntax languages. 
I would be much more worried about vulnerabilities in my firewall 
configuration at this point than in the network stack of the firewall itself. 

        My advice, is simply to use what you know best. If you know the PIX platform 
well, then stick with it. It will simplify your setup, and minimize user 
related errors that open up new holes in your network.

On Wednesday 21 July 2004 11:18 am, Jennifer Fountain wrote:
> Hi all:
>
> I am designing a "service" network that is separate from our
> "production" network.  Our web sites, email server, etc will be
> utilizing this network; whereas, internet traffic and vpn traffic will
> utilize the other.  My question is in regards to firewalls.  Currently,
> I am using a PIX for my production network.  From what I have been
> hearing, it is recommended to use two different firewall vendors in this
> situation.  Is this a general consensus with all of you?  Or do you
> think having another pix would be ok?  Thanks for any info!
>
>
> Kind Regards,
>
> Jennifer
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills of an Ethical Hacker to better assess the security of your
> organization. Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ---------------------------------------------------------------------------
> -

-- 
Miles D. Stevenson
The SANS Institute
Network Operations Center
mstevenson () sans org

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------