Ah, the firewall sandwich: it gives me indigestion. I don't think
firewalls are enough protection on their own. "Defense in depth" implies
different types of protection, not just layers of firewalls from
different vendors.

On 5/24/2012 2:37 PM, Dan Lynch wrote:
>> I know that there is a defence in depth idea to implement 2 firewalls,
>> each from different vendor.
>>
>> what you think about it ? is it practical?
>
> Whether it's practical depends in part on the complexity of the environment and of the firewall rules. But even using a single vendor, there are gains that can be had. Rather than running 25 interfaces on a single firewall, with 300+ rules, splitting the implementation can simplify the rules, and reduce the hardware performance requirement. Two $5000 boxes might replace one $25,000 box. A 300 rule policy might be replaced by two 100 rule policies.
>
> One firewall connects to external-facing DMZ networks and the internet, another divides internal business units with different security requirements from one another, segregates server networks from user networks, or test environments from production, etc. A separate firewall might reside in one business unit for connections to their external partners. One drawback is that connections that traverse multiple firewalls require a rule on each. I find this to be less of a problem than the overall reduction in complexity of the rules on each firewall.
>
> Another benefit might be to reduce the impact of maintenance downtime, and increase your flexibility in scheduling change windows. Consolidating everything into a single box subjects you to the lowest common denominator / most restrictive change policy for all connections on that box. Isolating those restrictive policies on a separate firewall could allow more flexibility for administering the other systems.
>
> As always, YMMV, and probably will.
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
>
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]