Kaas, David D wrote:
How many companies have two serial firewalls from different vendors?
Depends on size of organization or location, and exactly what purpose
the firewalls serve in serial. I assume you are talking about
choke-and-screen arrangements and Internet firewalls?
Generally,
- Few/no small biz, small office have 2 of anything. Terminating
broadband on a PPPoE capable firewall is what I recommend and I tell
them to eBay the telco's router.
- Medium businesses that have large enterprise assets may have this
arrangement. Here, I see more routers in the screen role and commercial
firewall appliances in the choke role. The router is often as not Cisco
and the firewall is often Netscreen/SonicWall/Watchguard.
- Large enterprises I've worked with are either Cisco shops or Cisco
plus CheckPoint. Again, router with PIX is a "better screen" and
Checkpoint is a choke and (ugh) integrated threat enforcement point.
Of course, if you are speaking to application level security, then I see
(and recommend) more best of breed than "buy the UTM device and deploy
it in serial, turning on the security measures where you think they are
appropriately deployed".
How many companies have an IPS/deep-packet-inspection device between the
firewall and the border router?
I honestly don't see a lot of this and unless there's a specific DOS
prevention issue, I don't see a lot of point in policing traffic that I
expect my firewall to block.
How many companies still use IDS?
Depends on your use of the word "use" - lots still have IDS and IPS
connected to networks. I suspect fewer meaningfully improve their
security profile because they have dummied them down, or don't use what
they monitor. I'm among the "A properly configured and administered
firewall is often as good or better than IDS because it *is* IPS" radicals.
How many companies have some form of deep packet inspection device in
front of their DMZ web servers? What do they use?
It seems like the added complexity and multiple devices will increase
management costs and may actually decrease security and reliability.
Meh. We can argue all month over this. Depends on the available talent.
Our current design may be rather simple but in over 12 years we have had
less than a couple of hours of down time and have not had a detected
breakin to our internal network.
No comment.
I would appreciate any comments.
Thank you,
Dave Kaas
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
dave.vcf
Description: Vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|