akshay67

As far as I know, there is no requirement in BS7799 to use mutiple firewalls, i.e. one for internet facing and one between DMZ and back-end.

Can someone please confirm?

Cheers...

David_Wallis

I dont think it is and Im not looking through the massive document I have... you can get it on pdf... and then search..

David

ChrisB

More flexible for your budget as well

akshay67

Yeah I had a 'quick' read through Pt1 and 2, and can't see it *explicity* saying you should use two firewalls. However, it may be implied somewhere.

A two-tier approach is obviously a better approach for many reasons, but I doubt quoting BS7799 (like someone did) is not a valid reason.

mega_stream

Ok, BS7799 does not state that you need dual level protection, it would be your risk assessment that states if dual level is required to protect your system.

jimbob2

Not completely necessary for BS7799 - is this for commercial or gov use?

Good security practice states that you should have different firewalls here say a Nokia FW1 box at the front, then something like a PIX or a cyberguard on a seperate LAN for your databases - good Intrusion Detection systems area also advisable providing you have the man power to resource it - the same goes for all IP related security.

At the end of the day, the clever hacker will merely phone someone up in your company and ask for their user name and password - it's so easy!

You shoyuld also dual everything if you want the maximum uptime - bet you've got more than one disk in your server?

BlueBlood

Not a direct requirement for BS7799, more relevant to BS7799 is how staff are trained as suggested above (and other things). Sometimes they just give out the password to a phone call.....oh and keep an eye on those server boys. A Vulnerability is a vulnerability regardless how many firewalls it traverses.

In a Corp environment it is best practise, perhaps mix Network/Application and other technologies (more so than badges of the same thing).

..r

Chris L

Might be worth your company considering to join the Information Security Forum

Have a look at their site and look at the guidelines they setout. It is based around BS7799 certification. It is also good to pick other members brains, as you can bet that someone has already come across a problem you are having before.

Chris

DrEvil

Sorry, this isn't what you asked for - but surely whether this is a requirement of BSxxxxx or not - it is highly advisable, as the environment will be more flexible, secure, etc.. tried n tested and all that.

Plus.. BTTT for you...

[Edited by DrEvil - 1/7/2003 4:23:26 PM]

mega_stream

I'm 99% certain its not a requirement for this, I can check tomorrow though, I'm on a ISMS BS7799 pt2 auditors course this week



[Edited by mega_stream - 1/7/2003 7:30:36 PM]