RE: Multiple firewalls from different manufactureres

["Hurst, Dave" <dhurst () lisletech com>]

On Fri, 28 Jan 2005, Paul Robertson wrote:
> On Fri, 28 Jan 2005, Hurst, Dave wrote:
>
> > I certainly agree that multiple devices, be they firewalls, routers,
or
> > whatever, layered to provide defense in depth provides a more secure
> > network.  Do people have any sense for how often organizations
actually
> > follow this best practice?  Or is it considered too complex and too
> > difficult to manage effectively, i.e. one firewall is "good enough"
so
> > it's just left at that?
>
> Last I saw stats, over 70% of firewalls were either misconfigured or
> poorly configured.  I've seen everything from "Sure we have a
firewall!
> Over there in that box!"  To "We have a firewall with two rules, drop
this
> specific bad thing and allow everything else."  Most places I hit seem
to
> have an "Allow it all out" ruleset these days.  If people can't get
one
> right, then two is going to be a miracle...

That may be the case for some small shops, but I'm wondering if that's
really the case for organizations that have more complex networks.  If
you're segmenting the network into subnets to isolate different parts of
the organization or to contain mobile users, providing secure access for
remote users, connecting geographically distributed locations with VPN
links, providing extranet services to customers, or any of a dozen other
things that are driving complexity in the network infrastructure these
days, then deploying a just single firewall seems untenable.  


--DaveH         "Be Excellent to each other!"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards