Firewall Wizards mailing list archives
RE: Screening Router as a firewall
From: "Steve Fletcher" <safletcher () insightbb com>
Date: Thu, 24 Mar 2005 16:00:19 -0600
Personally, I would go with the two "traditional" firewalls, in addition to ACL's on the router to block traffic that should definitely not be coming in over the Internet, such as private (RFC1918), loopback, and multicast addresses. As for the make and model of the routers, I have never been a firm believer in having two different brands. I can see where that might be useful in some cases, but for hardware firewalls such as the Cisco PIX, I just have not seen enough evidence of major problems to warrant that. That being said, I see no reason my ISA2004 could not be used as the second firewall. The company I work for has a lot of customers who are doing just that. While I would not want to rely on ISA as my only line of defense, or even my first line of defense, as a second level of security, I think it works pretty well. Plus, you get extra capabilities that are nice, such as caching of web pages. Just my $.02 worth....... Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+ safletcher () insightbb com -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Shimon Silberschlag Sent: Thursday, March 24, 2005 7:38 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Screening Router as a firewall Hello group, Having a request for at least 2 firewalls protecting internet connectivity, would you consider a border router with ACLs as the first firewall, or would you demand to implement ACLs on the router and 2 other "traditional" firewalls? If you select the first option, would simple "packet filter" type ACLs suffice, or would you demand "stateful" ACLs? (I believe Cisco calls its implementation CBAC). If you select the second option, would you demand that the 2 firewalls be of different brand, different technology or can they be the same product? Can ISA2004 serve as the second, internal facing firewall? Anyone using it as such? TIA, Shimon Silberschlag +972-3-9351572 +972-50-7207130 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Screening Router as a firewall Shimon Silberschlag (Mar 24)
- Re: Screening Router as a firewall Brenno Hiemstra (Mar 30)
- Re: Screening Router as a firewall Kevin (Mar 30)
- RE: Screening Router as a firewall Steve Fletcher (Mar 30)
- <Possible follow-ups>
- Re: Screening Router as a firewall Avishai Wool (Mar 30)
- Re: Screening Router as a firewall vbwilliams (Mar 30)
- Re: Screening Router as a firewall jfvanmeter (Mar 30)