Firewall Wizards mailing list archives
Re: How should an Internet connection/firewall be designed?
From: Dave Piscitello <dave () corecom com>
Date: Thu, 18 Jan 2007 14:39:58 -0500
Kaas, David D wrote:
How many companies have two serial firewalls from different vendors?
Depends on size of organization or location, and exactly what purpose the firewalls serve in serial. I assume you are talking about choke-and-screen arrangements and Internet firewalls?
Generally,- Few/no small biz, small office have 2 of anything. Terminating broadband on a PPPoE capable firewall is what I recommend and I tell them to eBay the telco's router. - Medium businesses that have large enterprise assets may have this arrangement. Here, I see more routers in the screen role and commercial firewall appliances in the choke role. The router is often as not Cisco and the firewall is often Netscreen/SonicWall/Watchguard. - Large enterprises I've worked with are either Cisco shops or Cisco plus CheckPoint. Again, router with PIX is a "better screen" and Checkpoint is a choke and (ugh) integrated threat enforcement point.
Of course, if you are speaking to application level security, then I see (and recommend) more best of breed than "buy the UTM device and deploy it in serial, turning on the security measures where you think they are appropriately deployed".
How many companies have an IPS/deep-packet-inspection device between the firewall and the border router?
I honestly don't see a lot of this and unless there's a specific DOS prevention issue, I don't see a lot of point in policing traffic that I expect my firewall to block.
How many companies still use IDS?
Depends on your use of the word "use" - lots still have IDS and IPS connected to networks. I suspect fewer meaningfully improve their security profile because they have dummied them down, or don't use what they monitor. I'm among the "A properly configured and administered firewall is often as good or better than IDS because it *is* IPS" radicals.
How many companies have some form of deep packet inspection device in front of their DMZ web servers? What do they use? It seems like the added complexity and multiple devices will increase management costs and may actually decrease security and reliability.
Meh. We can argue all month over this. Depends on the available talent.
Our current design may be rather simple but in over 12 years we have had less than a couple of hours of down time and have not had a detected breakin to our internal network.
No comment.
I would appreciate any comments. Thank you, Dave Kaas _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 9, Issue 4 Paul Madore (Jan 10)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? Christine Kronberg (Jan 19)
- Re: How should an Internet connection/firewall be designed? Kaas, David D (Jan 19)
- Re: How should an Internet connection/firewall be designed? Shahin Ansari (Jan 19)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 20)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? John Kougoulos (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 19)
- Re: How should an Internet connection/firewall be designed? Carson Gaspar (Jan 20)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 22)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 25)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)