Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Dave Piscitello <dave () corecom com>
Date: Thu, 25 May 2006 13:39:51 -0400
Robert A Beken wrote:
I have a question for the group about this new trend of using a single firewall for all IDS and Firewall related tasks in an integrated box for enterprise organizations (not SOHO). I personally think it's a bad idea and lacks flexibility in configuration and "defense in depth" posture towards security. What are other people's thoughts?
Most midrange enterprise firewalls have some IPS, some have this as well as AV, antispam, antispyware. Firewall/IPS vendors can't compete in the global 2000 market unless they integrate such features and so you aren't going to see many "pure play" firewalls. You can still have DiD. You do so by deploying multiple and diverse security services where they are most effective in enforcing policy. For example, I can configure an Internet-facing security appliance to handle DDoS and network threats. Behind this, on a trusted segment where I have web/application servers, I can put a security appliance that examines http streams and protects my servers from input validation, sql injection and other application level attacks. On a separate trusted segment/VLAN where I connect clients, I can put a security appliance that that proxies HTTP and handles URL filtering and strips content that is disallowed by policy. The security appliance protecting the client LAN/VLANs might also perform gateway antispyware, antispam and AV. Several *security appliances* support all these security services. So I could use the same appliance in different locations in my network in a DiD configuration, and have a common management platform. How much more flexibility do you want? The myth you need to help debunk is this: the fact that all the security services your organization might require are bundled into a single security appliance shouldn't lead you to conclude that you can satisfy all your security policy objectives at a single location, using a single device.
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Robert A Beken (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Shashi Shekhar (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) R. Rocky (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Johann_van_Duyn (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Shashi Shekhar (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Dave Piscitello (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 25)
- Message not available
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 25)
- Message not available
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Carson Gaspar (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)