Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: sushil menon <sebastan_bach () yahoo com>
Date: Thu, 25 May 2006 11:47:21 -0700 (PDT)
hi robert i feel there is a good need for integrated appliance. i feel even fortinet is a good box just like netscreen having ips,firewall,anti-virus. url-filtering and anti-spam in one single box. ssg series i am not sure does it provide entire ssl and idp functionality. i guess checkpoint is the sole one right now having complete unified architecture with complete endpoint security which both cisco and netcreen lacks. i feel it's high time that juniper launches a complte integrated box with complete firewall,idp and ssl solution in one box and also probably with a anti-virus hardware card like cisco asa supports for scanning at wirespeeds. just my views. see ya regards sushil Johann_van_Duyn () bat com wrote: Hi, Robert et al... I initially objected to the notion of all-in-one appliances too, but the complexity and architectural inelegance of having 3-5 gateway security boxes chained together (FW + IDS/IPS + inline AV + URL/Content Filter + VPN) convinced me to eventually champion a migration to Symantec's SGS 5460 units in one of our largest operating centres at the end of 2003. The operating centre's management and I have been very impressed, as have the pen-testers employed from time to time to try breaking the gateway. Nice balance of "default deny" at the firewall, augmented by a "default permit" scanning layer (AV + IPS + URL/CF) just behind it, all in the same box. The latest units, SGS 5660 and family, rock! And I want a new "baby" SGS (1620 and 1660) for my home... full-featured except for some limitations on SSL VPN, they're way cool and quite cheap to boot. Using the latest software version (SGS 3.x), the units provide proxy FW, IDS/IPS, AV, URL and Content Filtering, IPSec VPN and SSL VPN, and do so very respectably, doing exactly what it says on the tin. In fact, that operating centre generally laughs at the rest of the company whenever a major worm strikes, and sometimes smugly phone up and ask whether we need assistance. They use the SGS units between themselves and the Internet, 3rd parties AND the rest of the company! :-) Integration of the various capabilities is fairly good if not immediately intuitive, but some people balk at the amount of detail included in the logs, and the way they are presented. Detailed, but not too pretty! (Great for troubleshooting and figuring out what the device is getting up to, though.) Having moved to a location where we have a different gateway infrastructure, I really appreciate the peace of mind that the SGS used to give me, and the confidence with which we used to connect to 3rd parties and allow inbound connections. "UTM" devices, once you edit out all the marketing cr@p and get down to real-world performance and capabilities, are rightly the wave of the future, but the performance hit that results from turning on all the scanning features will keep them off high-speed backbones for a while yet... and sadly there is still a "performance stigma" against proxy firewalls, greatly undeserved of late. Also, beware the corner-cutting that some UTM providers do: some use limited AV signature sets, others use "optimized" IPS signature sets, while others fall over if you switch all the features on in an operational environment. I have to protect factories and labs that run expensive, salary-critical equipment managed by operating systems that some of us remember out of our youthful days (DOS, CP/M, Win3.1) that cannot be fiddled with or updated without losing support from the manufacturer... to protect these, I need full AV and IPS signature sets and a decent proxy, nothing less. In 2003, SGS was the only UTM device to provide all of that in one box; today, I would still choose the same family of appliances based on my experience with them. As for flexibility and defense in depth, you need to balance that out against the manageability and architectural simplicity offered by UTM devices. If you don't want the IPS/AV/whatever functionality, you don't have to license it. But managing disparate systems can be a pain, and they don't all play together nicely. With the proxy FW, AV and IDS/IPS included in the SGS, I believe that one gets a pretty good protection profile, and adding separate IDS/IPS and/or inline AV to the mix instead of those built in doesn't yield much benefit at the cost of elegance, manageability and simplicity... but YMMV. Caveat: adding a proxy firewall to a gateway is likely to highlight a number of cases where applications (in-house and shrink-wrap) disobey published RFCs for the protocols they use, or otherwise behave badly. This may lead to "words" between IT Security folks and their other IT or business colleagues, or external suppliers. Ranum rants about this on the list often enough and more eloquently than I can, so I won't. :-) That's my �0.02 worth, anyway. Johann van Duyn 24/05/2006 17:11 Robert A Beken Sent by: firewall-wizards-bounces () listserv icsalabs com Please respond to Firewall Wizards Security Mailing List To firewall-wizards () listserv icsalabs com cc Subject [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) I have a question for the group about this new trend of using a single firewall for all IDS and Firewall related tasks in an integrated box for enterprise organizations (not SOHO). I personally think it's a bad idea and lacks flexibility in configuration and "defense in depth" posture towards security. What are other people's thoughts? Thanks and Regards, Robert Beken CISSP, GCFW _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _____________________________________________________________________ Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful. ______________________________________________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards --------------------------------- Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Robert A Beken (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Shashi Shekhar (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) R. Rocky (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Johann_van_Duyn (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Shashi Shekhar (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Dave Piscitello (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 25)
- Message not available
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 25)
- Message not available
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)