I posted this on another board, but i think it belongs rather here

how effective/ineffective is it to combine various fire walls ?
like using them simultanously ?

please cover both: combining deff software products and combining hardware with software firewall soluutions
thanks for your answers

Valentino

If you are putting together a strategy for "defense in depth" then simultaneously utilizing different products, at different layers is effective.

For instance, you could have the following scenario, using a different vendor and hardware platform for each level:
1. deploy basic packet filtering ACLs on an outside router:
[advantage] fairly effective and user transparent
[disadvantage] common vulnerabilities and patient sniffing will allow bypass

2. deploy stateful content filtering on the firewall in the DMZ
[advantage] traffic and application specific filtering beyond (1)
[disadvantage] performance hit

3. proxy server
[advantage] security by obscurity - gives you another layer to hide behind, can be used in tandem, on the same machine as (2) or (4)

4. deploy a host based firewall on the machine you are trying to protect

What this does is to limit the ability to compromise your system to people who can get through every line of defense. In the above scenario, the purpose of using a different vendor's product at each level, is because all products have some amount of vulnerability.

Remember too, that it's worthwhile to implement IDS specific services, such as Snort, at the network level and perhaps Tripwire at the host level, to use encryption such as PGP or IPSEC.


That's my $0.02 cents worth.:p

niborean lays out a good strategy.

I have not built mine quite that way for a few reasons.

I would not put a host based fw on the host I'm trying to protect. That is the job of all the other security in place. Consider a load balanced cluster of webservers running ssl and other intensive wares further burdened by a fw. Running an ecom site would choke the cpus big time regardless of os (this would be mitigated to some degree if using ssl accelerators and other cache hardware) and cause timeouts in the cluster. Not to mention the session deaths.

Another consideration is if you have comm servers within the dmz or worse, data engines.

Rather I would put a HIDs agent on the box to be protected. I would put the second (or third etc) fw, further down the "chain" towards your inside networks. This can also be accomplished with further pfrs as needed.

Originally posted by niboreon
If you are putting together a strategy for "defense in depth" then simultaneously utilizing different products, at different layers is effective.



Right from the writings of Lance Spitzner....lol....jk

This is a very good post and I agree with it almost entirely up until #4. The only reason i would say this is because I would rather see a host based ids agent that can be centrally managed instead of a personal firewall. Personal firewall are more or less intended for personal use (hence the name). I have not had good luck with deploying them in the enterprise.

either Cisco's HIDS or Symantec ITA would do a beautiful job in this situation. They are much more flexible than a personal firewall, and have much better logging and alerting capabilities. But anyway...instead of rambling on about this in this forum...if anyone wants to know more start a post in the IDS forum, and I will be glad to help.

iNViCTuS - precisely. Maybe I'll start a new thread on it. :D

thanks again for your very good answers. they are really helpful

now i must only try to understand everything said on them, but as far as i did understand it, there still is hope for me to get some security for my pc

graetfully yours
Valentino

For personal PC firewall use I currently use 2. And I change them often. I was useing Zone Alarm and Black Ice, untill I noticed a CNN news artical about Black Ice actualy letting hackers get into you computer easier than without it. I have gotten the new pach and am currently useing it again.

I find that if I keep at leat 2 Firewals running that one will block certon intruders and the other one will let them in or visa versa. What I try to do is keep up to date on the new updates and patches on diffent versions to keep my chances of getting hacked down.

I prefer to run firewalls that are some what specific in their task like Zone Alarm is a appliaction bassed firewall, while black ice are more packet watching type of firewalls. I have to admit Sygate, is one that has alot of features that I like, it also uses applictions and packet types in one.

I have not found much info about running more than one on a pc. but I feel more secure than not by doing so. Most people that I have talked to about it seams to thinke there is no reason to do so. but what I have found is that if some one fines a exploit on one of then they are less likley able to get through both of your firewalls.

Valentino, the question is how much protection do you want? I know several people who use multiple proxies and a router/software firewall combo in hope to have that extra bit of protection. Also are you trying to protect a home pc with an always on internet connection, and static ip? Or are you trying to protect a network server, or a dial up connection?

Hi,my security on my home pc[win 98 se]with adsl is Norton Personal Firewall together with a
xDSL router[nat enabled]!
I m using Morpheus 24/7
Without router i got a lot of warnings!
After deploying the xDSL router[dec 2001] no more alerts from Norton Personal Firewall!
Now i m still using Norton Personal Firewall to guard my privacy.

Wonder if i ever will get an alert?

My guess - eventually.

http://www.agnitum.com/products/outpost/compare.html
This link did open my eyes!
Very usefulllllllll

The more stranger firewalls u combine, the harder it gets...

The best solution is still to write your own...

The more stranger firewalls u combine, the harder it gets...

The best solution is still to write your own...

Or just get two of the best...

I have Tiny and ZoneAlarm Pro dual running on my PC 24/7. Really helps against stopping them damned kidz from NetBussing/Sub7ing/BO2king my box if ever I get infected. :)

the outpost comparison havent uppdated the firewall list, sygate is still att 4.x so dont trust the chart allt that compleatly. but what it says about Za is probely true

The best solution would be an OpenBSD 3.0 box with IPF.
But he, you can still run personal firewalls on yer clients, besides what if u take yer laptop to a LAN party? do you take a separate box with a firewall as well? :D

Well, like all things at a LAN party make sure your laptop knows who it is "exchanging " with.


:D