Firewall Wizards mailing list archives
Re: Multiple firewalls from different manufactureres
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 28 Jan 2005 09:30:10 -0500 (EST)
On Thu, 27 Jan 2005, Shimon Silberschlag wrote:
Paul, I was more aiming to the issue of having the FW made by different manufacturers. There is a lot to be gained from having a common platform that the admins are familiar with, the chances for human errors are reduced, to say the least.
That was the basis of my "single layer of failure" comment, and why I wouldn't buy a firewall from my router vendor- I *want* different code. If your technical stall can't handle two firewall products, it's time to trade out the staff, not the products.
And yes, I too advocate the use of a screening router in front of the external FW. The question is, do I *have* to get a different brand FW for the internal one? And if the answer is yes, what's the reasoning?
We'll still have failures in things like VPNs, IPv6 will probably have all the vendors doing all the old stupid stuff and some new stupid stuff, if you're using authentication, that tends to be tricky, etc.
Do you see "head-on" attacks on the fw (trying to get to the fw in spite of a stealth rule defined) as a viable/sizeable threat today?
It's never been just about the firewall, transport layer and state engine bugs have happened in the past, let's not even talk about the folks who think IPS on the firewall is a rocking good thing and the parsing issues and update of the month stuff that happens there. I like having one statefull thing outside, and one proxy inside- and I like a router between the inside users and the inside firewall too. Less chance for bad stuff to happen either from the inside or the outside. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Frank Knobbe (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Adam Shostack (Jan 30)