Re: Multiple firewalls from different manufactureres

["Shimon Silberschlag" <shimons () bll co il>]

Paul,

I was more aiming to the issue of having the FW made by different 
manufacturers. There is a lot to be gained from having a common platform 
that the admins are familiar with, the chances for human errors are reduced, 
to say the least.

And yes, I too advocate the use of a screening router in front of the 
external FW. The question is, do I *have* to get a different brand FW for 
the internal one? And if the answer is yes, what's the reasoning?

Do you see "head-on" attacks on the fw (trying to get to the fw in spite of 
a stealth rule defined) as a viable/sizeable threat today?

Shimon Silberschlag

+972-3-9351572
+972-50-7207130

----- Original Message ----- 
From: "Paul D. Robertson" <paul () compuwar net>
To: "Shimon Silberschlag" <shimons () bll co il>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Wednesday, January 26, 2005 11:04 PM
Subject: Re: [fw-wiz] Multiple firewalls from different manufactureres


> On Wed, 26 Jan 2005, Shimon Silberschlag wrote:
>
> > Hello Group,
> >
> > In the past, I used to hear the recommendation that an internet facing
> > firewall setup should include at least 2 firewalls from different
> > manufacturers. The reasoning behind it was that if you had a fatal
> > vulnerability in one of them, one that could enable an attacker to "own" 
> > the
> > first, the second one will resist a similar attack.
>
> That wasn't the only rationale for not having a single layer of failure...
>
> > Today, when attacks are shifting towards using the already open ports on 
> > the
> > firewall, at the application level, do you think that such a setup is 
> > still
> > mandatory and/or recommended? Do you see such setups implemented? Or does
> > most setups include a single FW with multiple DMZs, connected directly to
> > the internal network? Perhaps the screened subnet variety with 2 FW, but 
> > the
> > same brand, is the most popular?
>
> I still try to at least get a screening router up front that does have a
> different packet filtering implementation (so I don't generally use green
> firewalls.)  To me, it's a matter of not designing easy to fail
> infrastructure.
>
> With two devices, you have the chance to catch configuration failures, not
> just implementation failures.  If possible, it's nice to have two
> different groups handling each piece in coordination, so that you have to
> have two people co-opted to start punching holes, especially
> admin-installed backdoors.
>
> With commodity pricing on firewalls, it's really a question of "what do
> you have to lose?"
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal 
> opinions
> paul () compuwar net       which may have no basis whatsoever in fact." 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards