Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

From: Chris Blask <chris () blask org>
Date: Thu, 25 May 2006 15:42:07 -0400

At 12:11 PM 24/05/2006, Robert A Beken wrote:

I have a question for the group about this new trend of using a single 
firewall for all IDS and Firewall related tasks in an integrated box for 
enterprise organizations (not SOHO).  I personally think it's a bad idea 
and lacks flexibility in configuration and  "defense in depth" posture 
towards security.  What are other people's thoughts?


Hey Robert!

In the end, embedding security functionality into the network is inevitable and necessary.  As has been said eloquently 
by others on the thread, the real question is "at what point is it a good idea to integrate Security Function X with 
Function Y?".  This depends on detail of the discreet application and the vendor offerings at that time.

In short: we've crossed over the boundary wherein it was always best to separate security activities from each other as 
well as non-security functions, but we have not yet reached the state where integrated functionality is typically an 
obvious winner.

You need to weigh the specific bits of desired functionality for different applications on your network to determine 
whether a dedicated or hybrid solution is correct.  You need to do this in the primary context of the amount of 
resources available to you (and if that is an infinite amount, you don't need our help... ;~).  IMO, the current PIX 
("ASA" my fanny) is pretty good and the ISR idea (one sheetmetal box with multiple purpose-built hardware modules) is a 
solid concept showing some early positive applications.

With those thoughts in mind, I suggest looking at the management infrastructure as the biggest single gain in security 
for resources spent.  None of this stuff makes much difference in the end if you can't  see what it's doing.

-cheers!

-chris


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Robert A Beken (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Shashi Shekhar (May 25)
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) R. Rocky (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Johann_van_Duyn (May 25)
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Dave Piscitello (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 25)
- Message not available
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 25)
- Message not available
  - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Frank Pawlak (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Carson Gaspar (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 26)
    - Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)

(Thread continues...)