PGP SIGNED MESSAGE-----
Hash: SHA1
I've head this referred to in certain circles as "Security in Depth".
There are many variations on the theme.
I've done a few of projects for US government agencies that stipulate that
connections to other parties, such as contractors, must be protected by 2
different security technologies (generally, 2 firewalls or an exterior
firewall and an interior router that is shut down (by external agency) if
any unexpected packets are seen coming from the firewall (think syslog,
swatch and SNMP)). I've done similar things for a few ISPs. It has, so
far, worked well.
The general reasoning is that someone could find a vulnerability in one
technology (such as the much rumored "evil back door" in Checkpoint), but
would be stopped in the next layer. There are a number of other reasons
why this solution is desirable.
Obviously, you are correct that 2 of the same type of firewall is probably
not the right way to approach this.
- - Ken Seefried
At 01:20 PM 9/3/99 -0400, Shubinsky, Slava wrote:
>I've seen an interesting architecture...
>
>Net---FW1----R----FW2---R---Internet
> |
> DMZ
>
>At first this seems to be a tighter security architecture,
>but at a closer look this might be wasteful especially if
>the two firewalls are the same type. Has anyone run
>into something like this? What are the general thoughts?
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBN9KVyI2PHZLjamdGEQLJ0QCfdZz775h469nvbQg8XWh5UA0vdxMAoP1z
ZY+4Hyc/E15dXrgiDZbgW4Vy
=iIdv
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
