Firewall Wizards mailing list archives
Re: cyberguard performance?
From: Kevin Steves <stevesk () pobox com>
Date: Sat, 4 Jan 2003 09:26:02 -0800
On Fri, Jan 03, 2003 at 11:46:41AM -0500, Pieper, Rodney wrote:
Perhaps the best description of the multiple device is "Defense in Depth". The philosophy that a vulnerability that can be applied to the security device at the edge and defeat the security control will not be the same vulnerability that is found on the next security device (between the DMZ and the Intranet).
Or between the next layer of the security perimeter. There are firewalls that have: exterior filtering router <-> exterior firewall gateway <-> interior firewall gateway <-> interior filtering router <-> private netowrk. With various DMZs off the gateways and HA etc.
By using multiple vendors devices one can create a much more difficult path towards comprimise of the 'plums'.
That can be called diversity in defense, or also diversity in depth. I've designed firewalls that used 2 different vendor firewall products in tandem, but the reason wasn't strictly diversity. One was a good stateful packet filter, and the other was a good application level gateway. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: cyberguard performance? Pieper, Rodney (Jan 03)
- Re: cyberguard performance? Kevin Steves (Jan 04)