From time to time I hear an ISA firewall admin talk about how an auditor told him that he needs to put a "firewall" in front of the firewall (the ISA firewall). Most of the time the ISA firewall admin is too busy to deal with it and just goes ahead and put some cheap NAT device in front of the ISA firewall and it palliates the auditor.
However, for those ISA firewall admins who are concerned about cost containment and security, I recommend that you confront the auditor with the following fact:
You do not need to put a firewall in front of your ISA firewall in order to be compliant for any industry regulations. The ISA firewall meets all requirements for an edge firewall and no other firewall is ever required to meet regulatory requirements
The above paragraph is a fact. It's incontrovertible and cannot be denied.
So, if you run into an auditor who says you must put another firewall in front of the firewall, you should confront the auditor and find out why. Ask him to point to the specific regulation that states that a non-ISA firewall has to be put in front of the ISA firewall. Then ask how introducing increased complexity and adding costs to the solution leads to meeting regulatory requirements.
The auditor should back down. If the auditor does not back down, you should have them sign off on a statement that they agree to take responsibility for any security events that take place because of the non-ISA firewall. In addition, they would also sign off on the costs of the non-ISA firewall, since the non-ISA firewall is not required, they should be willing to pay for your new ISA firewall, since it is their opinion that is not based on fact, that lead to the recommendation.
Usually the auditor will back down and admit that he didn't know what he was talking about. At that point you should thank him for his efforts and commend him for his ability to learn about new technologies, and finally give him props for realizing that "hardware" isn't magic.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP — Microsoft Firewalls (ISA)