Firewall Wizards mailing list archives

RE: Screening Router as a firewall

From: "Steve Fletcher" <safletcher () insightbb com>
Date: Thu, 24 Mar 2005 16:00:19 -0600

Personally, I would go with the two "traditional" firewalls, in addition to
ACL's on the router to block traffic that should definitely not be coming in
over the Internet, such as private (RFC1918), loopback, and multicast
addresses.

As for the make and model of the routers, I have never been a firm believer
in having two different brands.  I can see where that might be useful in
some cases, but for hardware firewalls such as the Cisco PIX, I just have
not seen enough evidence of major problems to warrant that.

That being said, I see no reason my ISA2004 could not be used as the second
firewall.  The company I work for has a lot of customers who are doing just
that.  While I would not want to rely on ISA as my only line of defense, or
even my first line of defense, as a second level of security, I think it
works pretty well.  Plus, you get extra capabilities that are nice, such as
caching of web pages.

Just my $.02 worth.......

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Shimon
Silberschlag
Sent: Thursday, March 24, 2005 7:38 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Screening Router as a firewall

Hello group,

Having a request for at least 2 firewalls protecting internet connectivity, 
would you consider a border router with ACLs as the first firewall, or would

you demand to implement ACLs on the router and 2 other "traditional" 
firewalls?

If you select the first option, would simple "packet filter" type ACLs 
suffice, or would you demand "stateful" ACLs?
(I believe Cisco calls its implementation CBAC).
If you select the second option, would you demand that the 2 firewalls be of

different brand, different technology or can they be the same product?

Can ISA2004 serve as the second, internal facing firewall? Anyone using it 
as such?

TIA,

Shimon Silberschlag

+972-3-9351572
+972-50-7207130

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Screening Router as a firewall Shimon Silberschlag (Mar 24)
- Re: Screening Router as a firewall Brenno Hiemstra (Mar 30)
- Re: Screening Router as a firewall Kevin (Mar 30)
- RE: Screening Router as a firewall Steve Fletcher (Mar 30)
- <Possible follow-ups>
- Re: Screening Router as a firewall Avishai Wool (Mar 30)
- Re: Screening Router as a firewall vbwilliams (Mar 30)
- Re: Screening Router as a firewall jfvanmeter (Mar 30)