Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

[sushil menon <sebastan_bach () yahoo com>]

hi robert i feel there is a good need for integrated appliance. i feel even fortinet is a good box just like netscreen 
having ips,firewall,anti-virus. url-filtering and anti-spam in one single box. ssg series i am not sure does it provide 
entire ssl and idp functionality. i guess checkpoint is the sole one right now having complete unified architecture 
with complete endpoint security which both cisco and netcreen lacks. i feel it's high time that juniper launches a 
complte integrated box with complete firewall,idp and ssl solution in one box and also probably with a anti-virus 
hardware card like cisco asa supports for scanning at wirespeeds. just my views. 
see ya 

regards 

sushil 

Johann_van_Duyn () bat com wrote: Hi, Robert et al...

I initially objected to the notion of all-in-one appliances too, but the 
complexity and architectural inelegance of having 3-5 gateway security 
boxes chained together (FW + IDS/IPS + inline AV + URL/Content Filter + 
VPN) convinced me to eventually champion a migration to Symantec's SGS 
5460 units in one of our largest operating centres at the end of 2003. The 
operating centre's management and I have been very impressed, as have the 
pen-testers employed from time to time to try breaking the gateway.

Nice balance of "default deny" at the firewall, augmented by a "default 
permit" scanning layer (AV + IPS + URL/CF) just behind it, all in the same 
box. The latest units, SGS 5660 and family, rock! And I want a new "baby" 
SGS (1620 and 1660) for my home... full-featured except for some 
limitations on SSL VPN, they're way cool and quite cheap to boot.

Using the latest software version (SGS 3.x), the units provide proxy FW, 
IDS/IPS, AV, URL and Content Filtering, IPSec VPN and SSL VPN, and do so 
very respectably, doing exactly what it says on the tin. In fact, that 
operating centre generally laughs at the rest of the company whenever a 
major worm strikes, and sometimes smugly phone up and ask whether we need 
assistance. They use the SGS units between themselves and the Internet, 
3rd parties AND the rest of the company! :-)

Integration of the various capabilities is fairly good if not immediately 
intuitive, but some people balk at the amount of detail included in the 
logs, and the way they are presented. Detailed, but not too pretty! (Great 
for troubleshooting and figuring out what the device is getting up to, 
though.)

Having moved to a location where we have a different gateway 
infrastructure, I really appreciate the peace of mind that the SGS used to 
give me, and the confidence with which we used to connect to 3rd parties 
and allow inbound connections. "UTM" devices, once you edit out all the 
marketing cr@p and get down to real-world performance and capabilities, 
are rightly the wave of the future, but the performance hit that results 
from turning on all the scanning features will keep them off high-speed 
backbones for a while yet... and sadly there is still a "performance 
stigma" against proxy firewalls, greatly undeserved of late. 

Also, beware the corner-cutting that some UTM providers do: some use 
limited AV signature sets, others use "optimized" IPS signature sets, 
while others fall over if you switch all the features on in an operational 
environment. I have to protect factories and labs that run expensive, 
salary-critical equipment managed by operating systems that some of us 
remember out of our youthful days (DOS, CP/M, Win3.1) that cannot be 
fiddled with or updated without losing support from the manufacturer... to 
protect these, I need full AV and IPS signature sets and a decent proxy, 
nothing less. In 2003, SGS was the only UTM device to provide all of that 
in one box; today, I would still choose the same family of appliances 
based on my experience with them.

As for flexibility and defense in depth, you need to balance that out 
against the manageability and architectural simplicity offered by UTM 
devices. If you don't want the IPS/AV/whatever functionality, you don't 
have to license it. But managing disparate systems can be a pain, and they 
don't all play together nicely. With the proxy FW, AV and IDS/IPS included 
in the SGS, I believe that one gets a pretty good protection profile, and 
adding separate IDS/IPS and/or inline AV to the mix instead of those built 
in doesn't yield much benefit at the cost of elegance, manageability and 
simplicity... but YMMV.

Caveat: adding a proxy firewall to a gateway is likely to highlight a 
number of cases where applications (in-house and shrink-wrap) disobey 
published RFCs for the protocols they use, or otherwise behave badly. This 
may lead to "words" between IT Security folks and their other IT or 
business colleagues, or external suppliers. Ranum rants about this on the 
list often enough and more eloquently than I can, so I won't. :-)

That's my �0.02 worth, anyway.

Johann van Duyn
 



24/05/2006 17:11
Robert A Beken  
Sent by: firewall-wizards-bounces () listserv icsalabs com



Please respond to
Firewall Wizards Security Mailing List 



To
firewall-wizards () listserv icsalabs com
cc

Subject
[fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)






I have a question for the group about this new trend of using a single 
firewall for all IDS and Firewall related tasks in an integrated box for 
enterprise organizations (not SOHO).  I personally think it's a bad idea 
and lacks flexibility in configuration and  "defense in depth" posture 
towards security.  What are other people's thoughts?

Thanks and Regards,


Robert Beken CISSP, GCFW
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_____________________________________________________________________
Confidentiality Notice: The information in this document and attachments is confidential and may also be legally 
privileged. It is intended only for the use of the named recipient.
Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for 
the contents of this message.
If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the 
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.
______________________________________________________________________
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


                
---------------------------------
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards