RE: Multiple firewalls from different manufactureres

[MHawkins () TULLIB COM]

"commodity pricing on firewalls"

Am I the only one who fainted when I saw this?

Mike Hawkins

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Paul D.
Robertson
Sent: Wednesday, January 26, 2005 4:04 PM
To: Shimon Silberschlag
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Multiple firewalls from different manufactureres


On Wed, 26 Jan 2005, Shimon Silberschlag wrote:

> Hello Group,
>
> In the past, I used to hear the recommendation that an internet facing
> firewall setup should include at least 2 firewalls from different
> manufacturers. The reasoning behind it was that if you had a fatal
> vulnerability in one of them, one that could enable an attacker to "own"
the
> first, the second one will resist a similar attack.

That wasn't the only rationale for not having a single layer of failure...

> Today, when attacks are shifting towards using the already open ports on
the
> firewall, at the application level, do you think that such a setup is
still
> mandatory and/or recommended? Do you see such setups implemented? Or does
> most setups include a single FW with multiple DMZs, connected directly to
> the internal network? Perhaps the screened subnet variety with 2 FW, but
the
> same brand, is the most popular?

I still try to at least get a screening router up front that does have a
different packet filtering implementation (so I don't generally use green
firewalls.)  To me, it's a matter of not designing easy to fail
infrastructure.

With two devices, you have the chance to catch configuration failures, not
just implementation failures.  If possible, it's nice to have two
different groups handling each piece in coordination, so that you have to
have two people co-opted to start punching holes, especially
admin-installed backdoors.

With commodity pricing on firewalls, it's really a question of "what do
you have to lose?"

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
"Disclaimer: This electronic mail is intended only for the use of the
addressee(s)named herein. Unless otherwise specifically stated, the views
contained and expressed in this electronic mail are strictly those of the
individual sender and are not the views of the Company or any of its
Directors or other employees. If you are not the intended recipient of this
electronic mail, you are hereby notified that any dissemination,
distribution or coping of this electronic mail is strictly prohibited. If
you received this electronic mail in error please immediately notify us by
return electronic mail and delete this electronic mail from your system."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards