Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

From: Dave Piscitello <dave () corecom com>
Date: Thu, 25 May 2006 13:39:51 -0400

Robert A Beken wrote:

I have a question for the group about this new trend of using a singlefirewall for all IDS and Firewall related tasks in an integrated box forenterprise organizations (not SOHO). I personally think it's a bad ideaand lacks flexibility in configuration and "defense in depth" posturetowards security. What are other people's thoughts?


Most midrange enterprise firewalls have some IPS, some have this as well
as AV, antispam, antispyware.  Firewall/IPS vendors can't compete in the
global 2000 market unless they integrate such features and so you aren't
going to see many "pure play" firewalls.

You can still have DiD. You do so by deploying multiple and diverse
security services where they are most effective in enforcing policy.

For example, I can configure an Internet-facing security appliance to
handle DDoS and network threats. Behind this, on a trusted segment where
I have web/application servers, I can put a security appliance that
examines http streams and protects my servers from input validation, sql
injection and other application level attacks. On a separate trusted
segment/VLAN where I connect clients, I can put a security appliance
that that proxies HTTP and handles URL filtering and strips content that
is disallowed by policy. The security appliance protecting the client
LAN/VLANs might also perform gateway antispyware, antispam and AV.

Several *security appliances* support all these security services. So I
could use the same appliance in different locations in my network in a
DiD configuration, and have a common management platform. How much more
flexibility do you want?

The myth you need to help debunk is this: the fact that all the security
services your organization might require are bundled into a single
security appliance shouldn't lead you to conclude that you can satisfy
all your security policy objectives at a single location, using a single
device.

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Robert A Beken (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Shashi Shekhar (May 25)
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) R. Rocky (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Johann_van_Duyn (May 25)
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Dave Piscitello (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 25)
- Message not available
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 25)
- Message not available
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Carson Gaspar (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)

(Thread continues...)