Book now with code EOY2025
Ahriakin wrote: » There are pros and cons. The main pro is that any vulns found for one vendor will be immediately mitigated by any downstream devices from the other. But a major con. is it is doubtful you can maintain the same level of expertise on both (or more) systems. Also, contrary to what many think so this is strictly in-my-humble-opinion, I think there is a lot to be said for predictability on your own network. Yes it makes it easier for attackers to profile and plan an attack, but at the same time it makes it easier for you to accurately mitigate weaknesses and respond when there are issues - the attacker has the choice of attack vector, timing etc., you are already down a few points on unpredictability, don't add to it with multi-vendor approaches if there is no specific reason to it (e.g. one vendor may handle a certain type of application inspection better than another so it might make sense to place a different type closer to certain resources).
Bl8ckr0uter wrote: » Greetings, For those of you that design networks or suggest designs do you still feel that layer firewalls (from different vendors) is still a valuable part of defensive in depth? From your experience, do companies tend to use this in the SMB enterprises? Just want to get someone else's perspective. I am submitting a proposal for our new network design on Wednesday and the other guy and I have some very, very different opinions.
it_consultant wrote: » I don't see a lot of advantages to having two firewalls back to back. Esp if your primary firewall is a high quality unit like a palo alto.Next Generation Firewall Features and Benefits
SteveO86 wrote: » Well, now if the boss wants it
SteveO86 wrote: » One of the reasons I prefer the Cisco ASA is because it can be an all in one, providing IPS/Firewall/VPN. 2 firewalls back to back, not sure as long they are not inspecting and looking the same information, then it's just double work for no reason. Depending how in-depth you want to go, the Cisco ASA allows you to add custom expressions to the Inspect maps (such as HTTP).. So if the firewall from Vendor A looks for something the ASA doesn't you can add that in there. I would suspect your SonicWall have a similar feature. Doing this in great detail will make the device from Vendor A look useless.
SteveO86 wrote: » Or if you really need (or your boss) that second firewall, would an ISR router running the Advanced Security IOS image running a zone based firewall (or CBAC) with an IPS Subscription work? (With a 4 MB pipe to the internet I would suspect a new ISR G2 router with at 512 of memory would suffice nicely, or even a 2811 with 512.)
SteveO86 wrote: » Depending on your webserver and if it does HTTPS transactions, and HIPS installed on the server itself may offer better protection, many AV programs nowadays offer built-in HIPs (Symantec Enpoint, Trend Micro) or they have dedicated HIPS programs (Cisco CSA) out there (can be expensive to implement)
SteveO86 wrote: » Going back to Firewall/DMZ I always remember the FW and DMZ is ment to go through hell and anything in the DMZ is not mission critical to your organization and if it got compromised it wouldn't be that big of a deal). Implementing Private VLANs correctly in the DMZ can limit the damage done by an attack. Sorry for being so Cisco oriented.. It's just my environment.
it_consultant wrote: » What was your coworker suggesting as the other firewall vendor?
RTmarc wrote: » One question I always pose to people when these topics come up is what is the risk associated with your company. Spending gobs of money for security is important but at the end of the day is it necessary? Do you really need that level of security? (I'm speaking directly towards the question of multi-vendor, multi-firewall clusters.) It is one thing if your company is enriching uranium for the government and something totally different if your company makes plastic spoons. If that level is needed, go for provided the resources are there.
Bl8ckr0uter wrote: » I felt that it would be double work and cause latency for no reason as well. I need to check and see if there is a feature like that on Sonicwall.
Bl8ckr0uter wrote: » Good idea
Bl8ckr0uter wrote: » This is kind of what I want to do. We have a 2621xm now, I suppose that upgrading to a 2811 would be very nice. She wants to upgrade our network gear anyway so that would be ideal.
Bl8ckr0uter wrote: » Care to elaborate on your private VLANs for DMZ design?
docrice wrote: » Regardless of which design you end up going with (single or dual firewall, etc.), be sure to audit your perimeter from both outside and inside zones. I'm currently going through the GCFW SANS course (SEC502) and it's mentioned that just about any vendor can unintentionally leak packets in different ways due to improper implementation. One example cited is how different firewall vendors handle fragmented packets. How about ICMP classification and "statefulness?" It's kind of amazing how the big-name vendors have screwed up some of the basics in the past. Unless you actually went through the process of running the proper tests yourself, you would never know what really went through, regardless of what you expected from looking at your firewall configs. I'd also suggest running the lockdown / audit wizard on your border router. You figure Cisco out of all vendors would leave a lot of things turned off by default.
Bl8ckr0uter wrote: » For the short term something like Iptables linux box or pfsense* *He was actually surprised when I disagreed with him because I'm the "Find a non windows way" guy at work so he thought the moment he said something open source I would jump for it. It isn't that I am against anything opensource (very far from it) I just don't see the need to have anything in this instance.
Forsaken_GA wrote: » Unfortunately, I can't comment too terribly much on the subject matter of this thread, as my opinions may reveal operational details, and that's frowned upon. I will say this though - pfsense is a kickass little appliance distro, and I've had good experiences with it as an actual piece of hardware, and as a virtual machine. It beats the snot out of the equivalents like IPCop and Untangle.
Bl8ckr0uter wrote: » In your personal, non work, totally forsaken_GA opinion if someone walked up to you and said choose between the aforementioned designs which one would you choose?
Forsaken_GA wrote: » I think it depends entirely on the data you're protecting. The more important the data, the more I would trend toward the layered approach.
phoeneous wrote: » But read up on it first. I deployed a 1921 and in the lab I ran lockdown. They arent kidding when they say "lockdown". What's cool is you can see the commands first before running it and then pick and choose at the cli. Too bad pvlan's arent supported on 2950's...
SteveO86 wrote: » I did a blog post on the 1 step lockdown some time ago, and also got a link to Cisco guide to hardening IOS which has a wealth of information.
Use code EOY2025 to receive $250 off your 2025 certification boot camp!
