On Mon, 14 Nov 2011 19:06:13 EST, William Herrin said:
Using two firewalls in serial from two different vendors doubles the complexity. Yet it almost always improves security: fat fingers on one firewall rarely repeat the same way on the second and a rogue packet must pass both.
Fat fingers are actually not the biggest issue - a far bigger problem are brain failures. If you thought opening port 197 was a good idea, you will have done it on both firewalls. And it doesn't even help to run automated config checkers - because you'll have marked port 197 as "good" in there as well. ;) And it doesn't even help with fat-finger issues anyhow, because you *know* that if your firewall admin is any good, they'll just write a script that loads both firewalls from a master config file - and then proceed to fat-finger said config file.