Firewall Wizards mailing list archives
Re: How should an Internet connection/firewall be designed?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 19 Jan 2007 20:55:57 +0000 (UTC)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 18 Jan 2007, AMuse wrote:
How many companies have two serial firewalls from different vendors?How many companies have an IPS/deep-packet-inspection device between the firewall and the border router? How many companies still use IDS? How many companies have some form of deep packet inspection device in front of their DMZ web servers? What do they use?My guess to all four questions above would be "Few small companies, some medium sized companies, many large companies and very many government agencies".It seems like the added complexity and multiple devices will increase management costs and may actually decrease security and reliability. Our current design may be rather simple but in over 12 years we have had less than a couple of hours of down time and have not had a detected breakin to our internal network.In general, I believe all added complexity increases management costs and, if poorly managed, may decrease security and reliability. The question is what is your budget, what's the trade-offs between security and availability, and what is the data worth to you compared to the above? Incidentally, not having a detected break-in to the internal network is not a great yardstick for how good your security is. For instance, a small company with no analysts might have a dozen attackers rootkitting them and not know it. :)
I find that the lack of mention in many such posts and requests like this these days do not even mention the best, oldest, and cheapest of network based IPS systems, the screening router....I guess in these days of consolidated appliances worth hugh budgets that simple, sweet, and fairly inexpensive to setup and maintain is no longer kosher. Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFsTBhst+vzJSwZikRAtymAKCv6hgkALfFdZ9yEST6mjSRoxVXYACeKKn8 zpkC8OrXK6xd+1tIvdQg7ZU= =04LJ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 9, Issue 4 Paul Madore (Jan 10)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? Christine Kronberg (Jan 19)
- Re: How should an Internet connection/firewall be designed? Kaas, David D (Jan 19)
- Re: How should an Internet connection/firewall be designed? Shahin Ansari (Jan 19)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 20)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? John Kougoulos (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 19)
- Re: How should an Internet connection/firewall be designed? Carson Gaspar (Jan 20)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 22)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 25)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)