> The "multiple lines of defense" approach is of no help. It's not a question of
> quantity, it's a quality thing. So, increasing the number of firewalls doesn't
> solve the problem. The old principle still holds: you're as weak as your
> weakest element. If you fear plane crashes, the solution doesn't consist
> of changing planes often. After all, a plane that crashes, crashes
> in a single place! Also, as the Concorde lately showed, the most expensive
> is the not the safest.
In my opinion, multiple lines of defense is a good thing, but it doesn't
mean having multiple firewalls, it means having a quality security process
that focuses security in multiple areas to defend against attacks. (It's
not necessarily multiple physically, but moreso conceptually.) For
example, a good security process not only says you have a firewall to
filter traffic, but you also have a sound and secure network architecture,
you keep your workstations and server secure by keeping them in line
with the latest patches, your physical security is adequate, a least
privledge principle is used in ganting access to anything network
related, routine evaluations of internal security are done as well as
externally.
> If you're playing a chess game against a good player, do not hope to get safe
> just by putting pieces in some squares. you have to put the right piece in the
> right square.
I couldn't agree more.
> Finally, if the event shows that FW1 is vulnerable, then my recommendation
> is o switch to another product, such as the Gauntlet (I don't work for NAI,
> it simpy happens that I know this one better than others).
I can't agree completely here. Recommending one firewall without knowing
the requirements is not only an uninformed answer, it's a lazy one. Each
firewall has its strengths and weaknesses. And, I can think of one or two
ways to DoS each of them.. Keep in mind, they're software and software
isn't perfect (neither is hardware).. Security is, IMHO, about mitigating
risk. By having the layers of security I lised above, one decreases the
risk of a single vulnerability so your enterprise's security isn't all
hinged on the quality of one product, in this case, the firewall.
// Chris
[EMAIL PROTECTED]
CCSA/CCSE/CCSI/MCP
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
