Firewall Wizards mailing list archives
Re: Multiple firewalls from different manufactureres
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 27 Jan 2005 02:54:00 +0530
On 26/01/05 18:23 +0200, Shimon Silberschlag wrote:
Hello Group, In the past, I used to hear the recommendation that an internet facing firewall setup should include at least 2 firewalls from different manufacturers. The reasoning behind it was that if you had a fatal vulnerability in one of them, one that could enable an attacker to "own" the first, the second one will resist a similar attack. Today, when attacks are shifting towards using the already open ports on the firewall, at the application level, do you think that such a setup is still mandatory and/or recommended? Do you see such setups implemented? Or does
Attacks have almost always been at the application layer. The exceptions have mostly been DoS attacks which can exploit vulnerability in an IP stack implementation to bring down a host or router. Packet filters worked well enough when it was possible to lock out external networks from accessing any important services (no web enabled database applications, so a whole class of SQL injection attacks was avoidable from the open Internet, etc). IMHO, rather than using multiple firewalls, I would use a strong policy, filesystem ACLs, proxies, and a less common system for my packet filtering edge system (OpenBSD, or FreeBSD most likely). A different OS on the proxies, servers and firewalls helps, but it is up to the organisation to determine if the added benefits are worth the cost. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2003 OWA security questions MHawkins (Jan 19)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 19)
- Re: Exchange 2003 OWA security questions Darryl Luff (Jan 21)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 26)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
- Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
- Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Exchange 2003 OWA security questions Paul D. Robertson (Jan 21)
- Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
- Application-level Attacks Crispin Cowan (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Devdas Bhagat (Jan 28)
- Re: Application-level Attacks Adam Shostack (Jan 28)
- Re: Application-level Attacks Frank Knobbe (Jan 28)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Adam Shostack (Jan 30)
- Re: Application-level Attacks Frederick M Avolio (Jan 30)