On Wed, Jan 17, 2007 at 08:11:30PM -0800, Kaas, David D wrote:

> We have always had a firewall on our Internet connection. We went from
> home grown, to fwtk (Thanks Marcus) and then a commercial system with
> snort IDS outside, on the DMZ and inside the firewall. We have always
> had very tight access controls. Few ports open to our DMZ, even fewer
> to our internal network that require one-time-passwords and restricted
> access to the Internet that must be approved by security. Now we have
> been told to upgrade/modify our Internet connection with new firewalls,
> IPS and deep packet inspection devices.. I would appreciate information
> on what are considered common practices.
>
> How many companies have two serial firewalls from different vendors?


I don't think it is really often needed to have two "strictly serial"
firewalls to inspect similar traffic, but having say, Netscreen on the border
and Cyberguard protecting LAN seems reasonable.

> How many companies have an IPS/deep-packet-inspection device between the
> firewall and the border router?
>
> How many companies still use IDS?


Well, IPS/deep-packet-inpsection device is just a buzzword for an IDS with
somehow unpredictive behavior ;-)

> How many companies have some form of deep packet inspection device in
> front of their DMZ web servers? What do they use?


As most of them rely on signature analysis, i see little to no use to them.
Host-based protection systems do better.

> It seems like the added complexity and multiple devices will increase
> management costs and may actually decrease security and reliability.
> Our current design may be rather simple but in over 12 years we have had
> less than a couple of hours of down time and have not had a detected
> breakin to our internal network.
>
> I would appreciate any comments.
>
> Thank you,
>
> Dave Kaas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards