Re: [fw-wiz] How should an Internet connection/firewall be designed?

FirewallWizards

[Top] [All Lists]

<prev [Date] next>

<prev [Thread] next>

Re: [fw-wiz] How should an Internet connection/firewall be designed?

from [ArkanoiD]

[Permanent Link][Original]

To:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.cybertrust.com>
Subject:	Re: [fw-wiz] How should an Internet connection/firewall be designed?
From:	ArkanoiD <ark@eltex.net>
Date:	Thu, 18 Jan 2007 20:23:55 +0300
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	fwwizards-list2@consult.net
Delivered-to:	firewall-wizards@listserv.cybertrust.com
In-reply-to:	<B52DBC14D694024689D053F520CCC899040597DC@expf.rl.gov>
List-archive:	<https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help:	<mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id:	Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post:	<mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
References:	<BAY19-F2345B21D7BF95C8811A74D9B30@phx.gbl> <B52DBC14D694024689D053F520CCC899040597DC@expf.rl.gov>
Reply-to:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender:	firewall-wizards-bounces@listserv.icsalabs.com
User-agent:	Mutt/1.4.1i

On Wed, Jan 17, 2007 at 08:11:30PM -0800, Kaas, David D wrote:

> We have always had a firewall on our Internet connection.  We went from
> home grown, to fwtk (Thanks Marcus) and then a commercial system with
> snort IDS outside, on the DMZ and inside the firewall.  We have always
> had very tight access controls.  Few ports open to our DMZ, even fewer
> to our internal network that require one-time-passwords and restricted
> access to the Internet that must be approved by security.  Now we have
> been told to upgrade/modify our Internet connection with new firewalls,
> IPS and deep packet inspection devices..  I would appreciate information
> on what are considered common practices.
> 
> How many companies have two serial firewalls from different vendors?

I don't think it is really often needed to have two "strictly serial"
firewalls to inspect similar traffic, but having say, Netscreen on the border
and Cyberguard protecting LAN seems reasonable.

> How many companies have an IPS/deep-packet-inspection device between the
> firewall and the border router?
> 
> How many companies still use IDS?

Well, IPS/deep-packet-inpsection device is just a buzzword for an IDS with
somehow unpredictive behavior ;-)

> How many companies have some form of deep packet inspection device in
> front of their DMZ web servers?  What do they use?

As most of them rely on signature analysis, i see little to no use to them.
Host-based protection systems do better.

> It seems like the added complexity and multiple devices will increase
> management costs and may actually decrease security and reliability.
> Our current design may be rather simple but in over 12 years we have had
> less than a couple of hours of down time and have not had a detected
> breakin to our internal network.
> 
> I would appreciate any comments.
> 
> Thank you,
> 
> Dave Kaas
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [fw-wiz] firewall-wizards Digest, Vol 9, Issue 4, Paul Madore [fw-wiz] How should an Internet connection/firewall be designed?, Kaas, David D Re: [fw-wiz] How should an Internet connection/firewall be designed?, AMuse Re: [fw-wiz] How should an Internet connection/firewall be designed?, Christine Kronberg Re: [fw-wiz] How should an Internet connection/firewall be designed?, Kaas, David D Re: [fw-wiz] How should an Internet connection/firewall be designed?, Shahin Ansari Re: [fw-wiz] How should an Internet connection/firewall be designed?, R. DuFresne Re: [fw-wiz] How should an Internet connection/firewall be designed?, ArkanoiD <= Re: [fw-wiz] How should an Internet connection/firewall be designed?, John Kougoulos Re: [fw-wiz] How should an Internet connection/firewall be designed?, ArkanoiD Re: [fw-wiz] How should an Internet connection/firewall be designed?, Dave Piscitello Re: [fw-wiz] How should an Internet connection/firewall be designed?, Carson Gaspar Re: [fw-wiz] How should an Internet connection/firewall be designed?, Dave Piscitello Re: [fw-wiz] How should an Internet connection/firewall be designed?, R. DuFresne

Previous by Date:	Re: [fw-wiz] How should an Internet connection/firewall be designed?, AMuse
Next by Date:	Re: [fw-wiz] How should an Internet connection/firewall be designed?, John Kougoulos
Previous by Thread:	Re: [fw-wiz] How should an Internet connection/firewall be designed?, R. DuFresne
Next by Thread:	Re: [fw-wiz] How should an Internet connection/firewall be designed?, John Kougoulos
Indexes:	[Date] [Thread] [Top] [All Lists]