That is the question...excuse my attempt to bring humor to a firewall discussion. Not sure where it started exactly, but it seems having two firewalls offer some kind of defense-in depth. This idea then evolved into having two different vendors. Does this model really offer defense in depth or does it add unnecessary complexity? I have also seen design that choose "best of breeds" for certain functions. For example, a Palo Alto in the perimeter facing for all its complete robust features and an ASA as the second firewall for reliability and simple L4 filtering and further segmentation. Now that many firewalls support virtualization, multiple firewalls are deployed on one single physical firewall to achieve this defense-in depth strategy.
Personally, i do not see added values in multiple firewalls for the sake of having multiple firewalls. In a case of a public DMZ application having a three tier design, then I can see putting the database server in the second firewall. Or deploying multiple virtual firewalls to handle different security features because different groups manage IPS and firewalls. For example, on VSYS deployed in vwire for IPS/Threat management and another VSYS for classic firewall functions.
Thoughts?
No comments:
Post a Comment