Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: combining diff firewalls

  1. #1
    Junior Member
    Join Date
    Feb 2002
    Posts
    26

    Question combining diff firewalls

    I posted this on another board, but i think it belongs rather here

    how effective/ineffective is it to combine various fire walls ?
    like using them simultanously ?

    please cover both: combining deff software products and combining hardware with software firewall soluutions
    thanks for your answers

    Valentino


  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    157

    Thumbs up combining is good

    If you are putting together a strategy for "defense in depth" then simultaneously utilizing different products, at different layers is effective.

    For instance, you could have the following scenario, using a different vendor and hardware platform for each level:
    1. deploy basic packet filtering ACLs on an outside router:
    [advantage] fairly effective and user transparent
    [disadvantage] common vulnerabilities and patient sniffing will allow bypass

    2. deploy stateful content filtering on the firewall in the DMZ
    [advantage] traffic and application specific filtering beyond (1)
    [disadvantage] performance hit

    3. proxy server
    [advantage] security by obscurity - gives you another layer to hide behind, can be used in tandem, on the same machine as (2) or (4)

    4. deploy a host based firewall on the machine you are trying to protect

    What this does is to limit the ability to compromise your system to people who can get through every line of defense. In the above scenario, the purpose of using a different vendor's product at each level, is because all products have some amount of vulnerability.

    Remember too, that it's worthwhile to implement IDS specific services, such as Snort, at the network level and perhaps Tripwire at the host level, to use encryption such as PGP or IPSEC.


    That's my $0.02 cents worth.
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Noah built the ark BEFORE it rained.


    http://ld.net/?rn
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    niborean lays out a good strategy.

    I have not built mine quite that way for a few reasons.

    I would not put a host based fw on the host I'm trying to protect. That is the job of all the other security in place. Consider a load balanced cluster of webservers running ssl and other intensive wares further burdened by a fw. Running an ecom site would choke the cpus big time regardless of os (this would be mitigated to some degree if using ssl accelerators and other cache hardware) and cause timeouts in the cluster. Not to mention the session deaths.

    Another consideration is if you have comm servers within the dmz or worse, data engines.

    Rather I would put a HIDs agent on the box to be protected. I would put the second (or third etc) fw, further down the "chain" towards your inside networks. This can also be accomplished with further pfrs as needed.
    Trappedagainbyperfectlogic.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Re: combining is good

    Originally posted by niboreon
    If you are putting together a strategy for "defense in depth" then simultaneously utilizing different products, at different layers is effective.

    Right from the writings of Lance Spitzner....lol....jk

    This is a very good post and I agree with it almost entirely up until #4. The only reason i would say this is because I would rather see a host based ids agent that can be centrally managed instead of a personal firewall. Personal firewall are more or less intended for personal use (hence the name). I have not had good luck with deploying them in the enterprise.

    either Cisco's HIDS or Symantec ITA would do a beautiful job in this situation. They are much more flexible than a personal firewall, and have much better logging and alerting capabilities. But anyway...instead of rambling on about this in this forum...if anyone wants to know more start a post in the IDS forum, and I will be glad to help.

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    iNViCTuS - precisely. Maybe I'll start a new thread on it.
    Trappedagainbyperfectlogic.

  6. #6
    Junior Member
    Join Date
    Feb 2002
    Posts
    26
    thanks again for your very good answers. they are really helpful

    now i must only try to understand everything said on them, but as far as i did understand it, there still is hope for me to get some security for my pc

    graetfully yours
    Valentino


  7. #7
    Junior Member
    Join Date
    Feb 2002
    Posts
    1
    For personal PC firewall use I currently use 2. And I change them often. I was useing Zone Alarm and Black Ice, untill I noticed a CNN news artical about Black Ice actualy letting hackers get into you computer easier than without it. I have gotten the new pach and am currently useing it again.

    I find that if I keep at leat 2 Firewals running that one will block certon intruders and the other one will let them in or visa versa. What I try to do is keep up to date on the new updates and patches on diffent versions to keep my chances of getting hacked down.

    I prefer to run firewalls that are some what specific in their task like Zone Alarm is a appliaction bassed firewall, while black ice are more packet watching type of firewalls. I have to admit Sygate, is one that has alot of features that I like, it also uses applictions and packet types in one.

    I have not found much info about running more than one on a pc. but I feel more secure than not by doing so. Most people that I have talked to about it seams to thinke there is no reason to do so. but what I have found is that if some one fines a exploit on one of then they are less likley able to get through both of your firewalls.

  8. #8
    Valentino, the question is how much protection do you want? I know several people who use multiple proxies and a router/software firewall combo in hope to have that extra bit of protection. Also are you trying to protect a home pc with an always on internet connection, and static ip? Or are you trying to protect a network server, or a dial up connection?
    Jealousy consumes the weak.
    http://www.badconnections.net

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    244

    Re: combining diff firewalls

    Hi,my security on my home pc[win 98 se]with adsl is Norton Personal Firewall together with a
    xDSL router[nat enabled]!
    I m using Morpheus 24/7
    Without router i got a lot of warnings!
    After deploying the xDSL router[dec 2001] no more alerts from Norton Personal Firewall!
    Now i m still using Norton Personal Firewall to guard my privacy.

    Wonder if i ever will get an alert?
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  10. #10
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    My guess - eventually.
    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •