This is a discussion on Re: [fw-wiz] How should an Internet connection/firewall be designed? - Firewalls ; On Wed, Jan 17, 2007 at 08:11:30PM -0800, Kaas, David D wrote: > We have always had a firewall on our Internet connection. We went from > home grown, to fwtk (Thanks Marcus) and then a commercial system with > ...
On Wed, Jan 17, 2007 at 08:11:30PM -0800, Kaas, David D wrote:
> We have always had a firewall on our Internet connection. We went from
> home grown, to fwtk (Thanks Marcus) and then a commercial system with
> snort IDS outside, on the DMZ and inside the firewall. We have always
> had very tight access controls. Few ports open to our DMZ, even fewer
> to our internal network that require one-time-passwords and restricted
> access to the Internet that must be approved by security. Now we have
> been told to upgrade/modify our Internet connection with new firewalls,
> IPS and deep packet inspection devices.. I would appreciate information
> on what are considered common practices.
> How many companies have two serial firewalls from different vendors?
I don't think it is really often needed to have two "strictly serial"
firewalls to inspect similar traffic, but having say, Netscreen on the border
and Cyberguard protecting LAN seems reasonable.
> How many companies have an IPS/deep-packet-inspection device between the
> firewall and the border router?
> How many companies still use IDS?
Well, IPS/deep-packet-inpsection device is just a buzzword for an IDS with
somehow unpredictive behavior ;-)
> How many companies have some form of deep packet inspection device in
> front of their DMZ web servers? What do they use?
As most of them rely on signature analysis, i see little to no use to them.
Host-based protection systems do better.
> It seems like the added complexity and multiple devices will increase
> management costs and may actually decrease security and reliability.
> Our current design may be rather simple but in over 12 years we have had
> less than a couple of hours of down time and have not had a detected
> breakin to our internal network.
> I would appreciate any comments.
> Thank you,
> Dave Kaas
> firewall-wizards mailing list
firewall-wizards mailing list