Re: How should an Internet connection/firewall be designed?

[Dave Piscitello <dave () corecom com>]

Kaas, David D wrote:
> How many companies have two serial firewalls from different vendors?

Depends on size of organization or location, and exactly what purpose 
the firewalls serve in serial. I assume you are talking about 
choke-and-screen arrangements and Internet firewalls?

Generally,
- Few/no small biz, small office have 2 of anything. Terminating 
broadband on a PPPoE capable firewall is what I recommend and I tell 
them to eBay the telco's router.
- Medium businesses that have large enterprise assets may have this 
arrangement. Here, I see more routers in the screen role and commercial 
firewall appliances in the choke role. The router is often as not Cisco 
and the firewall is often Netscreen/SonicWall/Watchguard.
- Large enterprises I've worked with are either Cisco shops or Cisco 
plus CheckPoint. Again, router with PIX is a "better screen" and 
Checkpoint is a choke and (ugh) integrated threat enforcement point.

Of course, if you are speaking to application level security, then I see 
 (and recommend) more best of breed than "buy the UTM device and deploy 
it in serial, turning on the security measures where you think they are 
appropriately deployed".

> How many companies have an IPS/deep-packet-inspection device between the
> firewall and the border router?

I honestly don't see a lot of this and unless there's a specific DOS 
prevention issue, I don't see a lot of point in policing traffic that I 
expect my firewall to block.

> How many companies still use IDS?

Depends on your use of the word "use" - lots still have IDS and IPS 
connected to networks. I suspect fewer meaningfully improve their 
security profile because they have dummied them down, or don't use what 
they monitor. I'm among the "A properly configured and administered 
firewall is often as good or better than IDS because it *is* IPS" radicals.


> How many companies have some form of deep packet inspection device in
> front of their DMZ web servers?  What do they use?
>
> It seems like the added complexity and multiple devices will increase
> management costs and may actually decrease security and reliability.

Meh. We can argue all month over this. Depends on the available talent.

> Our current design may be rather simple but in over 12 years we have had
> less than a couple of hours of down time and have not had a detected
> breakin to our internal network.

No comment.

> I would appreciate any comments.
>
> Thank you,
>
> Dave Kaas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards