Firewall Wizards mailing list archives

Re: (no subject)

From: <broyds () rogers com>
Date: Wed, 6 Nov 2002 10:41:17 -0500

Two firewalls can be more secure, but not if they are really of the same type such as Checkpoint (although FW-1/NG has 
more proxy capabilities) and Pix , which are stateful inspection.
   I would have the outer facing one be a stateful firewall like Pix (or FW-1) for its speed and robustness under load 
and the inner one by an application gateway like Gauntlet, Symantec, even Microsoft ISA.
  Your DMZ would be connected to the segment in between so its traffic would be firewalled but without the latency that 
an ALG creates. If your internal network has many MS Windows desktops, this would help enforce policy at L7 for desktop 
users.

From: LazloCarreidas () netscape net
Date: 2002/11/06 Wed AM 07:02:09 EST
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] (no subject)

Hi.

My company is considering installing two firewalls in serie, i.e. to have
two layers of defense. We would use CheckPoint NG and Cisco PIX (we do not
use OpenSource, etc...)

Here are some key design points:
  * NG would be the first defense line, i.e. connected to the Internet.
    It will allow to use CheckPoint VPN for external users, plus
    firewalling
  * PIX would be the second one.
    It will do the NATting, plus firewalling
  * We need DMZ capabilities
    To do that, we are considering several possibilities:
      - connect the DMZ to the NG only;
      - connect the DMZ to the PIX only;
      - have a "shared" DMZ, i.e. one based on two subnets (each
        connected to a firewall), and where some machines have dual
        interfaces (no routing between them, of course) when needed;
      - have two DMZes, each connected to a firewall.

I would like to have your comments on these proposals.

For example, we are wondering if having two layers of firewalls is really
more secure, even if less manageable.
We are also interested to know your experiences, the hidden culprits, the
obvious flaws, etc...

Thanks a lot to you...

  Lazló

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

(no subject) LazloCarreidas (Nov 06)
- <Possible follow-ups>
- Re: (no subject) broyds (Nov 06)
- (no subject) Dean Pullen (Nov 22)
  - Re: (no subject) Skip Frizzell (Nov 22)
    - Message not available
    - Re: (no subject) Skip Frizzell (Nov 24)
  - Re: (no subject) Paul D. Robertson (Nov 24)
- RE: (no subject) Noonan, Wesley (Nov 22)
- RE: (no subject) Don Goldstein (Nov 25)
  - RE: (no subject) Paul Robertson (Nov 25)
- RE: (no subject) Nieveler, Juergen (Nov 26)
  - RE: (no subject) Paul D. Robertson (Nov 26)