Firewall Wizards mailing list archives
RE: Multiple firewalls from different manufactureres
From: MHawkins () TULLIB COM
Date: Wed, 26 Jan 2005 16:26:32 -0500
"commodity pricing on firewalls" Am I the only one who fainted when I saw this? Mike Hawkins -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Paul D. Robertson Sent: Wednesday, January 26, 2005 4:04 PM To: Shimon Silberschlag Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Multiple firewalls from different manufactureres On Wed, 26 Jan 2005, Shimon Silberschlag wrote:
Hello Group, In the past, I used to hear the recommendation that an internet facing firewall setup should include at least 2 firewalls from different manufacturers. The reasoning behind it was that if you had a fatal vulnerability in one of them, one that could enable an attacker to "own"
the
first, the second one will resist a similar attack.
That wasn't the only rationale for not having a single layer of failure...
Today, when attacks are shifting towards using the already open ports on
the
firewall, at the application level, do you think that such a setup is
still
mandatory and/or recommended? Do you see such setups implemented? Or does most setups include a single FW with multiple DMZs, connected directly to the internal network? Perhaps the screened subnet variety with 2 FW, but
the
same brand, is the most popular?
I still try to at least get a screening router up front that does have a different packet filtering implementation (so I don't generally use green firewalls.) To me, it's a matter of not designing easy to fail infrastructure. With two devices, you have the chance to catch configuration failures, not just implementation failures. If possible, it's nice to have two different groups handling each piece in coordination, so that you have to have two people co-opted to start punching holes, especially admin-installed backdoors. With commodity pricing on firewalls, it's really a question of "what do you have to lose?" Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards "Disclaimer: This electronic mail is intended only for the use of the addressee(s)named herein. Unless otherwise specifically stated, the views contained and expressed in this electronic mail are strictly those of the individual sender and are not the views of the Company or any of its Directors or other employees. If you are not the intended recipient of this electronic mail, you are hereby notified that any dissemination, distribution or coping of this electronic mail is strictly prohibited. If you received this electronic mail in error please immediately notify us by return electronic mail and delete this electronic mail from your system." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 27)
- RE: Multiple firewalls from different manufactureres Frank Knobbe (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Message not available
- RE: Multiple firewalls from different manufactureres Marcus J. Ranum (Jan 28)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 28)
- RE: Multiple firewalls from different manufactureres Marcus J. Ranum (Jan 28)
- RE: Multiple firewalls from different manufactureres Frank Knobbe (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- <Possible follow-ups>
- RE: Multiple firewalls from different manufactureres Behm, Jeffrey L. (Jan 28)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 28)
- RE: Multiple firewalls from different manufactureres Eugene Kuznetsov (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)