Re: Difference between a firewall and a perimeter router

Thu, 01 Feb 2001 09:11:18 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii


[EMAIL PROTECTED] said:
> Using a firewall behind a perimeter router allows you to implement
> "defense  in depth", or multiple barriers between your protected
> network and the  public Internet.  Using this "defense in depth"
> strategy you can implement  a portion of your security or access
> control policy on the router and a  portion on the firewall.

All very true, and very important.

Defense in depth also allows for the possibility of a "best of breed" 
approach.  If for example, one vendor has a superior SMTP proxy, you can place 
his product in front of your mail server and other vendor's product(s) in 
front of other servers exploiting their respective strengths.

I realize this may not be practical for all installations, in particular the 
smaller ones, and that it adds administrative complexity, which is usually not 
a good thing in the security context, but the benefits may outweigh the 
detractions for some folks.


The other reason to use a multi-layered approach is rather obvious:  The 
attacker must penetrate multiple layers.  Stacking two or more identical 
layers may not offer much improvement, as all are probably penetrable to the 
same degree.  But if they are different (products, versions, configurations, 
etc.), then the attacker has to work at every layer.  The defender (security 
administrator) has to opportunity to detect and take corrective action at each 
and every layer.


AL
- -- 
+--------------------------------------------------------------------+
| Al Potter                           Manager, Network Security Labs |
| apotter at-yay icsa ot-day net                           ICSA Labs |
| (If the spambots learn piglatin...)                                |
| PGP Key: 0x58C95451                            http://www.icsa.net |
| PGP Fingerprint:  D3 1D BE 8C B5 DD 12 61  5A 4A 65 32 93 E5 D9 36 |
+--------------------------------------------------------------------+


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000

iQCVAwUBOnma89uN3h5YyVRRAQLOXwP/QmEXUKp8kSjGibvbCYh2cJots/h4yBGA
/KNejZSfmzek9Q8sPJyzcHadXhhourxvecWd0g7/SFfHCjPriGwXKDEZyZ05eqbX
Hhb1ZhP5BoEo6iqNgf73Z883u6wodBVtnVsU+agpAVeH4YctakJFO1Nc0FXVMmhW
7yxe6+4ldcA=
=wA0w
-----END PGP SIGNATURE-----

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to