Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: <sase () inofficenetworks com>
Date: Thu, 25 May 2006 15:42:00 -0400
Hey all I would have to agree with the folks that an integrated solution is not the best idea, 99% of the time. Integrated solutions seem to be OK for SOHO, but not in an medium-business to enterprise environment. The major advantages to going with multiple products for different functions. 1. Scalability: Your components are not limited by their individual functions. If you're receiving a lot more email traffic that needs to be filtered rather than web traffic, you can beef up your email AV/content checking devices appropriately. 2. Independence: In the event that the system fails, you don't simultaneously lose your entire functionality. This is a battle that IT folks have to fight all the time with their end-users. In the event that your ids/fw/av appliance dies.. You lose most of the functionality of your network (at least, regarding the outside world,) to which the end users reply is 'I don't care what's broken, just make it work.' Whereas, if your statement to the end user was 'certain web addresses are inaccessible at the time, but email and all other functions are still working' the end user would be that much more comfortable. 3. Independence from vendor: you don't rely just on Symantec, for instance, for your support, which can be painful at best. 4. Flexibility: I have yet to see one system that 'does it all' the way I want it to. With multiple devices you can service your needs the way you want to, and how you want to, without making any compromises. I guess part of my value to this is based on the fact that I consider myself 'old school' I still compile every package I install on my machines, I still do 'advanced' configurations, and never use wizards, or the sort. My lower techs get angry with me when I don't use PDM with PIX devices because PDM can't read my configurations because they're too complex or acl's aren't written in the standards that they use. PS It makes me feel special! Disadvantages: 1. More points of failure.. But I feel like this is mitigated by the fact that you have component independence. 2. Cost: more units usually means more money, but this may not be the case in certain implementations. 3. Skill set: If you're the point-click-shoot kind of admin, learning multiple devices may not be feasible as far as your skill set or more probable, your time allotment. You could wind up doing more harm than good. 4. More postings on fw wizards about the subject. -paul --------------------------- Paul Matuszewski Director of Network Operations Five Elements Consulting Group http://www.5ecg.com V: (516) 933-9669 x202 F: (516) 620-0062 C: (516) 816-4871 -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Paul D. Robertson Sent: Thursday, May 25, 2006 3:15 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) On Thu, 25 May 2006, sushil menon wrote:
hi robert i feel there is a good need for integrated appliance. i feel even fortinet is a good box just like netscreen having
What makes you feel that? Historically, vendors have done a *terrible* job of loading multiple codebases onto a single system, and all these products will come from different development teams inside a vendor.
ips,firewall,anti-virus. url-filtering and anti-spam in one single box.
So, one failure of any one component at the right level and you lose AV, firewalling, anti-spam and filtering- that seems like a major increase in risk. Plus- and this is the biggie- now you're not choosing the best-of-breed of any of the services, you're getting whatever that vendor's good at and then the rest of their stuff that most likely couldn't survive on its own. Paul ------------------------------------------------------------------------ ----- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- cisco ssh rate limit hermit921 (May 26)
- Re: cisco ssh rate limit David Swafford (May 26)
- Re: cisco ssh rate limit hermit921 (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Balazs Scheidler (May 28)