The firewall in a multilayer security approach

Report as spam Discussion - Post 18 of 29

Firewalls are only the beginning

Performance off a single firewall with gigabit ports on the DMZ and server/user side is the best, especially if it is a PIX with per interface based policies. Adding a stateful failover unit gives you unprecedented redundancy where you don't even loose a single session.

The fact is, locking down your firewall is the most important thing, i.e. restricting administration ports like telnet/SSH/web to only one or two management stations. I have Nokia FW1 and Cisco PIX gear, the Nokia for example had some known apache vulnerabilities, but it was not a problem because it doesn't allow port 80 or 443 access to from anywhere except for the management stations.

According to Gartner?s stats, 99% of break ins happen because of admin mistakes and overly liberal firewall rule sets. I tend to believe this because if I do an audit on all enterprise firewall installations, I?ll bet 90+ percent of them don?t have tight enough policies. For example, most people restrict inbound to their DMZ, but few restrict outbound from their DMZ. The most important thing to do is be diligent and constantly monitor your firewall logs and keep it patched for all known vulnerabilities. Having two brands of firewalls makes this more difficult, and thus overall security is weaker because of the human factor. Most companies are not going to hire both a Cisco expert and a Checkpoint expert. Hacker?s don?t need to exploit the firewalls most of the time, they exploit your servers through the holes that you open.

The best solution is a well designed single cluster with a tight policy set coupled with an intrusion detection system with shunning capabilities tied into your firewall.

Posted: 02/15/2003 @ 02:45 AM (PST)

georgeou 19: Job Role: Other IS/IT or Technology Function; Location: Sunnyvale, California; Member since: 01/04/2002

View Profile | Send Message

Post a Reply Save

« Previous | Next »

Print/View all Posts | Subscribe to this Thread

Read original item: The firewall in a multilayer security approach

Daisy-chaining?dhony | 02/13/2003 @ 05:36 PM (PST)

disjoint v. "cascading" firewalls.cohofish@... | 02/14/2003 @ 11:42 AM (PST)

You don't have that problem with a PIXgeorgeou | 02/14/2003 @ 01:22 PM (PST)

PIX crafts other problemspglennon@... | 04/01/2003 @ 10:53 AM (PST)

Multi-homed/Multi-tiered architecturesjkellygarrett | 02/17/2003 @ 09:18 PM (PST)

Look at the total solution not just firelguerriero@... | 02/17/2003 @ 11:26 AM (PST)

thanks for the ad, i mean, info...The_Gnome | 02/18/2003 @ 05:52 AM (PST)

here it islguerriero@... | 02/18/2003 @ 09:27 AM (PST)

Multi-homed and Tiered Architecturesjkellygarrett | 02/17/2003 @ 09:59 PM (PST)

Common response - Gateway betterDeadly Ernest | 02/24/2003 @ 07:19 PM (PST)

Good article but there are other waysJimHM | 02/13/2003 @ 08:49 PM (PST)

Security - More than FirewallsBill - Melbourne, Florida | 02/13/2003 @ 11:45 PM (PST)

Layers & Layers, Intrusion Detectionrbmpage@... | 02/16/2003 @ 10:53 PM (PST)

A modern multi-homed firewall can do allgeorgeou | 02/14/2003 @ 02:54 AM (PST)

Single device....AQGreen | 02/14/2003 @ 03:50 AM (PST)

Lots of weak doors don't equal good sec.georgeou | 02/14/2003 @ 05:45 AM (PST)

Who says the doors are weak?AQGreen | 02/14/2003 @ 06:23 PM (PST)

Firewalls are only the beginninggeorgeou | 02/15/2003 @ 02:45 AM (PST)

Pot O' Gold? Tell Me More!Blau67 | 02/14/2003 @ 02:51 PM (PST)

Pot O'Gold..moreAQGreen | 02/14/2003 @ 06:13 PM (PST)

Also called a Honey Potjkellygarrett | 02/17/2003 @ 08:57 PM (PST)

A GREAT source for Honey Pot infojkellygarrett | 02/18/2003 @ 12:15 AM (PST)

Good start but more to doDeadly Ernest | 02/16/2003 @ 08:17 PM (PST)

Look at the total solution not just firelguerriero@... | 02/17/2003 @ 11:20 AM (PST)

What an amazing wealth of knowledgemitchbryant@... | 02/17/2003 @ 08:59 PM (PST)

thanks for the ad, i mean, info...The_Gnome | 02/18/2003 @ 06:01 AM (PST)

This is a bit simplisticpglennon@... | 04/01/2003 @ 11:01 AM (PST)

Disappointmentaarony@... | 09/16/2003 @ 11:19 AM (PDT)

IDS???James Schroer | 09/17/2003 @ 09:21 AM (PDT)

SponsoredWhite Papers, Webcasts, and Downloads

Live Webcast: Eight Ways to Grow Your Professional Services Profits Citrix Online Organizations are waking up to the untapped revenue potential of ... Download Now
Qwest Network Services for Healthcare Providers Qwest Communications Demands for improved quality care and increased satisfaction require a ... Download Now
Critical Connections: Leveraging Technology to Improve Healthcare Qwest Communications The American Recovery and Reinvestment Act allocates more than $20 billion ... Download Now

White Papers, Webcasts, and Downloads

Smarter Products: The Building Blocks for a Smarter Planet IBM Corp. Businesses are delivering a new generation of smarter products that are ... Download Now
Total Economic Impact of SQL Server 2008 Upgrade Microsoft See how upgrading to Microsoft SQL Server 2008 can provide your company with an anticipated ROI of between 160 and 180 percent. Download Now
Enterprise social software IBM Corp. In June 2009, IBM sponsored an interactive webinar to explore the ... Download Now

Top Rated News on ZDNet

Microsoft exposes Firefox users to drive-by malware downloads +86 rating
What Microsoft won't tell you about Windows 7 licensing +75 rating
Seven perfectly legal ways to get Windows 7 cheap (or even free) +74 rating
Is it OK to use OEM Windows on your own PC? Don't ask Microsoft +74 rating
Windows 7: An impressive upgrade +73 rating

Browse by Tag

networking: Popular tags: windows, software, hardware, security, it management
e-mail: Popular tags: windows, software, networking, security, hardware
hardware: Popular tags: windows, software, networking, it management, security
programming: Popular tags: software, windows, networking, hardware, it management
software: Popular tags: windows, hardware, networking, programming, it management
windows: Popular tags: software, networking, hardware, security, it management
linux: Popular tags: software, windows, networking, hardware, security
it management: Popular tags: networking, windows, software, security, hardware
career: Popular tags: it management, networking, software, windows, feedback
security: Popular tags: networking, windows, software, it management, hardware
off-topic: Popular tags: software, windows, hardware, feedback, networking
feedback: Popular tags: software, windows, hardware, networking, it management
project management: Popular tags: it management, software, networking, windows, programming

500 Things Every Technology Professional Needs to Know: Did you know Microsoft's RegClean does not work with XP but you can use shareware to clean your registry? Did you know most wireless access points don't have encryption enabled by default? Did you know there are 500 tidbits of information contained in TechRepublic's 500 Things Every Technology Professional Needs to Know that will help you become a successful IT professional.; Buy Now

Quick Reference: Linux Commands: Reduce stress and speed up resolutions with the easiest command references right at your fingertips. You'll receive a PDF file covering Linux, packed with the most common commands you'll need and use daily.; Buy Now