Nah I didn't misunderstand...I think my reponse was the unclear portion. I
was referring to those who run IDS and firewall software on a PC based
firewall ;)
----- Original Message -----
From: "Kent Hundley"
To:
Sent: Monday, August 27, 2001 4:11 PM
Subject: RE: PIX design question [7:16801]
> I think you misunderstood my response. I wasn't saying to run IDS on the
> PIX, I was saying that a good reason not to run a cross-over cable between
> the Intranet PIX and Internet PIX was so that one could deploy an IDS
> sensore between the 2 PIXen and this would require a switch. Sorry if
this
> wasn't clear.
>
> -Kent
>
> -----Original Message-----
> From: Allen May [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 27, 2001 7:48 AM
> To: Kent Hundley; [EMAIL PROTECTED]
> Subject: Re: PIX design question [7:16801]
>
>
> Check out Dragon Sensor. It has a client that sits outside the firewall
to
> communicate with the internal sensors. Personally, at the risk of
starting
> a flame war, I hate the idea of running ANYTHING besides firewall software
> on a firewall. IDS just adds strain and possible added points of failure
> when run on the firewall in my opinion. IDS should just sit by &
passively
> check packets on a separate box.
>
> Allen
>
> ----- Original Message -----
> From: "Kent Hundley"
> To:
> Sent: Saturday, August 25, 2001 1:19 PM
> Subject: RE: PIX design question [7:16801]
>
>
> > Patrick,
> >
> > First, I'm generally not a fan of the interface to interface design for
> > firewalls for one simple reason: IDS. If you wanted to deploy any kind
of
> > IDS, and I highly recommend that you do, you would not be able to place
a
> > sensor between the Internet and Intranet firewalls. Switches are cheap
> and
> > add no amount of latency that will be noticable. I wouldn't do it this
> way.
> >
> > As to the second question, it's best to keep servers on protected
DMZ's.
> I
> > would place the servers in question on the Internet firewalls' DMZ for
> > consistency and simplicity of design.
> >
> > HTH,
> > Kent
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Patrick Donlon
> > Sent: Wednesday, August 22, 2001 6:56 AM
> > To: [EMAIL PROTECTED]
> > Subject: PIX design question [7:16801]
> >
> >
> > We are in the middle of migrating to a new network, this includes
> replacing
> > Checkpoint firewalls with PIX. My question concerns the proposed design
of
> > the Internet and IntrAnet PIX firewalls and in particular a connection
> > between the two firewalls. It has been suggested that we connect the
> > IntrAnet firewall's outside interface to one of the Internet firewalls
> DMZs.
> > I can see that this may reduce latency for traffic passing to the
internet
> > from our intrAnet but I'd like to hear anyone's thoughts on this one,
> > routing or security issues perhaps.
> >
> > Another design issue which was raised was the placement of some servers
in
> > the same outside interface of the intrAnet firewall. These servers would
> > require access to one of the intrAnet firewall's DMZ and be accessible
> from
> > another DMZ on the internet firewall which are in turn are accessible
from
> > the Internet. This seems a bit of a complicated design and could be a
> > security loophole (??). Thoughts and experiences please
> >
> > regards Pat
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17536&t=16801
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
