Security Basics mailing list archives

Re: Defense in Depth

From: Ghaith Nasrawi <libero () aucegypt edu>
Date: Wed, 03 Nov 2004 00:29:46 +0000

i don't find them very practical when VPNs in use. the idea won't work!


On Mon, 2004-11-01 at 03:38, Naren wrote:

Dear all,

My $ 0.02

The idea behind two firewalls is because of different technologies, and 
capabilities, having two firewalls from two different vendors help minimise 
the possibility of traffic that is not intercepted by one firewall being 
stopped by the other .. like a mix and match.

And normal practise is to have the first level as a Stateful inspection, to 
reduce most common forms of attacks - and also reducing the traffic that 
hits the 2nd level firewall, and the second as an application layer 
firewall, for stricter checking of traffic passing through.

This is a very basic requirement .. and there is no firewall which can stop 
all forms of threats (in my limited experience .. atleast. ...)

Naren
----- Original Message ----- 
From: Ravi Kumar
To: Ronish Mehta
Cc: security-basics () securityfocus com
Sent: Friday, October 29, 2004 1:35 PM
Subject: Re: Defense in Depth


Hi Ronsih,
  Why do you prefer two firewalls? Does that mean are you not confident 
enough with the first firewall capabilities!!

-Ravi

Ronish Mehta wrote:

Hi List,

I have a network setup with 2 firewalls

There is a DMZ on the Internet facing firewall

The servers on this DMZ contains servers that host
both "http" and "https" pages

There are no DMZ on the second firewall

From what I understand, this setup is not providing

defense in depth, at least not full defense in depth

I wanted to create a DMZ on the second firewall, and
move servers that host "HTTPS" pages to this new DMZ

Would this new setup improve the security of the
network?

Thanks for comments,

Ronish




__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail


This mail has been scanned for known virusses and spam by the MXTreme 
Mail Firewall, and is considered spam free. For more info, visit 
http://www.pactech.net

Current thread:

Re: Defense in Depth Daniel Miessler (Nov 01)
- <Possible follow-ups>
- RE: Defense in Depth Randy Golly (Nov 01)
- Re: Defense in Depth Naren (Nov 01)
  - Re: Defense in Depth Ghaith Nasrawi (Nov 03)
- Re: Defense in Depth Javier Blanque (Nov 01)
- Re: Defense in Depth Spencer Hall (Nov 02)
- Re: Defense in Depth Miles Stevenson (Nov 02)
- Re: Defense in Depth sf_mail_sbm (Nov 03)
- RE: Defense in Depth Randy Golly (Nov 04)
  - RE: Defense in Depth Ghaith Nasrawi (Nov 08)