On 9 Oct 97, bjm @
fl .
dk wrote about Single point of failure.:
[snip]
> A couple of firewall products offer the ability to support multiple
> network interface cards. These products are often used in solutions
> where different kind of user groups, servers/services etc. are
> separated on different LAN-segments connected to the firewall. If a
> company uses this functionality on a firewall, they introduce a single
> point of failure which I think is often neglected or forgotten.
There are more single points of failure in any given network on any
given day than I think most care to admit. While this does not
negate your argument, These option are best weighed in a 'risk-analysis'.
You check your probable risks, improbable risks and
possible risks associated with a given network/network device. You
then take very specific and measurable steps to protect the device or
the network as a whole. Backup devices are ALWAYS a good thing, but
rarely financially feasible. If the probable winds up being a
directed attack or a high failure rate for the firewall then a backup
is in order. If not...? While I abhor the fact that finances
are sometimes an issue when planning/protecting your network I do
respect a calculated risk.
The short version of my philosophy...which is subject to change at
any moment without prior notice from the managment. ;-)
1. Sometimes you're better off setting up a link state routing protocol on
your backbone, adding a redundant link and adding access lists to each of
your routers (solving the lack of dynamic recovery on a failed state
interface).
2. The support for additional security features through the use of
`packet header extensions' provided by IPv6 (thus allowing every host
behind the gateway router to authenticate / deny incoming packets)
eliminates the 'all or nothing' philosophy of the firewall. To some
this is a more appetizing course of action. Specially since IPv6 is
free.
Firewalls (no offense) be damned if I can have my cake and eat it too.
Egads....I wrote a book even. =-o
Regards,
Greg Barnes
Webnology LLC
________________________________________________
|\===============W=E=B=N=O=L=O=G=Y===============\
greg @
ou812 .
com Phone (830)768-2292
noc @
ou812 .
com FAX (830)774-1518
|/===============W=E=B=N=O=L=O=G=Y===============/
'If you're a horse and someone gets on you and falls off, then
gets right back on you...I think you should buck him off right
away'
-- Deep Thoughts, By Jack Handey
*ANTISPAM-NOTE* To respond to this message, replace
'ou812.' with 'webnology.' in the return address.
|
|
