The Argument Around Multiple Firewalls
My good friend Jack Germain of ECT News Network just finished an article on this. Check it out here.
http://www.technewsworld.com/story/66150.html
I can think of at least three good reasons who companies deploy multiple firewalls.
1. No single firewall does everything exceptionally well
2. Multiple Firewalls determine which model should be on top doing the heavy lifting
3. Customers don’t trust a single firewall technology
Let’s face it, no two firewalls on the market today are alike. Some are very good at Denial of Service DdoS protection while others can handle rate shaping or packet inspection better than the other. So depending on the customers application and traffic needs, a different firewall brand might be in order. I would caution users of the dual or quad firewall topology because the more firewalls you put in your network the more difficult it becomes for troubleshooting.
You might have heard me make the statement that I feel firewalls are older security technology and that newer technology like an Intrusion Prevention Solution is the logical replacement.
There are however firewall functions that an IPS still needs to deliver upon in order to become a full fledged firewall replacement. One of the mandatory features is NAT. Most firewalls today provide the NAT function and an IPS does not. A drawback to firewalls today is port 80. With so many newer applications now running through port 80 (Because everyone knows it’s open to web traffic) it makes it impossible for a firewall to inspect, assuming it is legitimate Web traffic. IPS systems inspect EVERYTHING.
Because there is no single device that can do everything equally, customers are settling for a layered defense. The need for multiple security technologies and in some cases dueling firewalls will continue while customers keep looking for that silver bullet, one device that does it all perfectly.
I can hardly wait!