Security

I suppose you already have an idea on a potential benefit of multiple firewalls, in that the weakness of one might the strength of another, but mgmt issues and latency, not to mention cost, would be down sides. As well, if you're using any type of cachemgr, there's more cost and add'l latency. What I've done in the past was to use a "black box" solution, Cisco's PIX Firewall (wire-speed, hardened OS) with an external router to that firewall programmed for front-end protection. If you can hack past the router, you certainly won't get through the PIX. A benefit here, as mentioned, is wire-speed throughput, ease in mgmt, and low cost. Feel free to e-mail me if you have any questions. I hope this helps!

I agrre with Mottco, that it would be expensive, but there are other things that you can do to supplement your security. There are Intrusion Detection Systems, like RealSecure from ISS.net. These will work in conjunction with your firewall.

So agoodscenario is a boundary router, with specific ACL's limiting access to your network (best place for spoof protection), A firewall (hardend OS), with an Intrusion Detection System, then a choke router that limits traffic again internally into your network

You should then get a good scanner software (SATAN, Inetnet Securty Scanner, etc.) and see if you can break into your network.

Hi Scott. I tried to answer this about a week ago but got an error when submitting it. I'll give it another shot.

The main disadvantages to using a multi-vendor solution are cost and complexity. If this is something your orgnaization would support themselves then additional training and support requirements would be necessary. I believe one has to ask what they are trying to protect, what the value is, what the risks are, and what their budget is. A multi-vendor solution will make entrymuch moredifficult and discourage the "script kiddies" and such but if your organization is a target of a group or individual that really, really wants something they may very well have the resources to breach even a multi-layered approach. What doyou have to protect? How valuable is it? What are the consequences if security is compromised? What talents and resources are available to you? What are really trying to protect against?

Hope this helps!

Loren Wagner

Scott,

Your best bet is to use a router in front and behind the firewall. The router in front can be used with access lists to screen off some of the ports you will not need for any incoming connections.

But the most important action you can take is to audit you firewall after you have installed and configured it. Run a portscanner against it and make sure you are not leaving any ports open that you don't need.

Steve

Using a multi-vendor firewall solution sounds like a good concept but maintaining such a configuration could really get messy.

As the group has pointed out a hardend router in front of a firewall is a great idea. Ease of configuration and level of security provided are in a good proportion.

With that said my suggestion is this:

1. Harden your outside router to offer some protection and knock out the uneeded ports immediately.

2. Place an additional packet filtering machine behind the outside router to offer additional protection. Behind this firewall place your publicly available internet resources. This area is commonly referred to as a DMZ.

3. Place a proxy firewall next and build your corporate or private network here. This allows for a single enty point for TCP / Internet based attackes and also allows for better management of users internally. IP's from the private network block can be used here behind the proxy server.

There are literally hundreds of manufacturers of firewa