Firewalls

pr3d4t0rpr3d4t0r Member Posts: 173
Well i would like to hear your opinions about defferent types of firewalls. What Firewalls are you using in your company, reasons for using them etc.

I recently replace a Firebox X Peak E-Series with a Cisco ASA 5520.

After reading this article : http://www.networkworld.com/reviews/2007/121007-firewall-test.html?page=1

I don't know if i did the right thing icon_rolleyes.gificon_lol.gif

Comments

  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    FortiGate 500As and FortiGate 300As.

    http://www.fortinet.com

    <3 FortiGates
  • hypnotoadhypnotoad Banned Posts: 915
    You must have some pretty serious bandwidth at the point where this firewall is going ??
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Netscreen NS25 at all sites. These were purchased and in place before I started with the company. They're alright. They get the job done so I have nothing bad to say about them.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    For enterprise class organizations, you really want cascading firewalls. For best security, they should be of two different core OS's. For best performance, I prefer ASIC type appliances such as a PIX or something similar on the edge, as they do a good job rapidly dropping packets that don't conform to the select few protocols or ports you're allowing in from the internet.

    The second level firewall, or internal firewalls placed within the internal LAN, should be able to do more than basically packet level filtering. Ideally, it should be able to inspect traffic all the way down to the application layer for even application layer attacks. For this, I like ISA 2004/2006. It's one of the only firewall products that can do this type of traffic examination, and even inspect within an encrypted SSL tunnel.

    Also, notice it is of a different base OS than the edge firewall, which guarantees that even if an intruder managed to compromise the edge, knowledge of that OS alone wouldn't allow the attacker to breach the second layer of defense.
    Good luck to all!
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    For you guys that work with webservers with a backend SQL database, do you guys have a firewall just for backend database traffic or do you just redirect the web server back through the DMZ?
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Cisco scored highly (top 3) in their UTM tests of the same products (article referenced in this one). I agree with their criticisms though, their IPS really needs extra software/appliances for proper monitoring and of course they are not the easiest things in the world to configure correctly. But at least for small-mid sized businesses not needing that extreme bandwidth referenced in the article the ASAs are an excellent solution. $5k for a 5510 with AIP-SSM10 giving us hardware Firewall/VPN/IPS is a (relative) steal.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.