Check out Dragon Sensor. It has a client that sits outside the firewall to
communicate with the internal sensors. Personally, at the risk of starting
a flame war, I hate the idea of running ANYTHING besides firewall software
on a firewall. IDS just adds strain and possible added points of failure
when run on the firewall in my opinion. IDS should just sit by & passively
check packets on a separate box.
Allen
----- Original Message -----
From: "Kent Hundley"
To:
Sent: Saturday, August 25, 2001 1:19 PM
Subject: RE: PIX design question [7:16801]
> Patrick,
>
> First, I'm generally not a fan of the interface to interface design for
> firewalls for one simple reason: IDS. If you wanted to deploy any kind of
> IDS, and I highly recommend that you do, you would not be able to place a
> sensor between the Internet and Intranet firewalls. Switches are cheap
and
> add no amount of latency that will be noticable. I wouldn't do it this
way.
>
> As to the second question, it's best to keep servers on protected DMZ's.
I
> would place the servers in question on the Internet firewalls' DMZ for
> consistency and simplicity of design.
>
> HTH,
> Kent
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Patrick Donlon
> Sent: Wednesday, August 22, 2001 6:56 AM
> To: [EMAIL PROTECTED]
> Subject: PIX design question [7:16801]
>
>
> We are in the middle of migrating to a new network, this includes
replacing
> Checkpoint firewalls with PIX. My question concerns the proposed design of
> the Internet and IntrAnet PIX firewalls and in particular a connection
> between the two firewalls. It has been suggested that we connect the
> IntrAnet firewall's outside interface to one of the Internet firewalls
DMZs.
> I can see that this may reduce latency for traffic passing to the internet
> from our intrAnet but I'd like to hear anyone's thoughts on this one,
> routing or security issues perhaps.
>
> Another design issue which was raised was the placement of some servers in
> the same outside interface of the intrAnet firewall. These servers would
> require access to one of the intrAnet firewall's DMZ and be accessible
from
> another DMZ on the internet firewall which are in turn are accessible from
> the Internet. This seems a bit of a complicated design and could be a
> security loophole (??). Thoughts and experiences please
>
> regards Pat
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17396&t=16801
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
