Firewall Wizards mailing list archives
Re: Multiple firewalls from different manufactureres
From: "Shimon Silberschlag" <shimons () bll co il>
Date: Thu, 27 Jan 2005 10:02:45 +0200
Paul,I was more aiming to the issue of having the FW made by different manufacturers. There is a lot to be gained from having a common platform that the admins are familiar with, the chances for human errors are reduced, to say the least.
And yes, I too advocate the use of a screening router in front of the external FW. The question is, do I *have* to get a different brand FW for the internal one? And if the answer is yes, what's the reasoning?
Do you see "head-on" attacks on the fw (trying to get to the fw in spite of a stealth rule defined) as a viable/sizeable threat today?
Shimon Silberschlag +972-3-9351572 +972-50-7207130----- Original Message ----- From: "Paul D. Robertson" <paul () compuwar net>
To: "Shimon Silberschlag" <shimons () bll co il> Cc: <firewall-wizards () honor icsalabs com> Sent: Wednesday, January 26, 2005 11:04 PM Subject: Re: [fw-wiz] Multiple firewalls from different manufactureres
On Wed, 26 Jan 2005, Shimon Silberschlag wrote:Hello Group, In the past, I used to hear the recommendation that an internet facing firewall setup should include at least 2 firewalls from different manufacturers. The reasoning behind it was that if you had a fatalvulnerability in one of them, one that could enable an attacker to "own" thefirst, the second one will resist a similar attack.That wasn't the only rationale for not having a single layer of failure...Today, when attacks are shifting towards using the already open ports on the firewall, at the application level, do you think that such a setup is stillmandatory and/or recommended? Do you see such setups implemented? Or does most setups include a single FW with multiple DMZs, connected directly tothe internal network? Perhaps the screened subnet variety with 2 FW, but thesame brand, is the most popular?I still try to at least get a screening router up front that does have a different packet filtering implementation (so I don't generally use green firewalls.) To me, it's a matter of not designing easy to fail infrastructure. With two devices, you have the chance to catch configuration failures, not just implementation failures. If possible, it's nice to have two different groups handling each piece in coordination, so that you have to have two people co-opted to start punching holes, especially admin-installed backdoors. With commodity pricing on firewalls, it's really a question of "what do you have to lose?" Paul -----------------------------------------------------------------------------Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact."
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Frank Knobbe (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)