Firewall Wizards mailing list archives
Re: How should an Internet connection/firewall be designed?
From: ArkanoiD <ark () eltex net>
Date: Thu, 18 Jan 2007 20:23:55 +0300
On Wed, Jan 17, 2007 at 08:11:30PM -0800, Kaas, David D wrote:
We have always had a firewall on our Internet connection. We went from home grown, to fwtk (Thanks Marcus) and then a commercial system with snort IDS outside, on the DMZ and inside the firewall. We have always had very tight access controls. Few ports open to our DMZ, even fewer to our internal network that require one-time-passwords and restricted access to the Internet that must be approved by security. Now we have been told to upgrade/modify our Internet connection with new firewalls, IPS and deep packet inspection devices.. I would appreciate information on what are considered common practices. How many companies have two serial firewalls from different vendors?
I don't think it is really often needed to have two "strictly serial" firewalls to inspect similar traffic, but having say, Netscreen on the border and Cyberguard protecting LAN seems reasonable.
How many companies have an IPS/deep-packet-inspection device between the firewall and the border router? How many companies still use IDS?
Well, IPS/deep-packet-inpsection device is just a buzzword for an IDS with somehow unpredictive behavior ;-)
How many companies have some form of deep packet inspection device in front of their DMZ web servers? What do they use?
As most of them rely on signature analysis, i see little to no use to them. Host-based protection systems do better.
It seems like the added complexity and multiple devices will increase management costs and may actually decrease security and reliability. Our current design may be rather simple but in over 12 years we have had less than a couple of hours of down time and have not had a detected breakin to our internal network. I would appreciate any comments. Thank you, Dave Kaas _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 9, Issue 4 Paul Madore (Jan 10)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? Christine Kronberg (Jan 19)
- Re: How should an Internet connection/firewall be designed? Kaas, David D (Jan 19)
- Re: How should an Internet connection/firewall be designed? Shahin Ansari (Jan 19)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 20)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? John Kougoulos (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 19)
- Re: How should an Internet connection/firewall be designed? Carson Gaspar (Jan 20)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 22)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 25)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)