I have simple question which is regarding firewall deployment in defense in depth strategy.
I want to install multiple firewall on my network I want to know should all the firewall placed on different segment of the network be "all configured in fail close fashion". In this case would this create a single point of failure if all the devices were to fail at one time. Would it make your network inaccessible to the rest of the network.
Secondly, the other concern of using multiple layer firewall is the duplication of policies. In my experience even working with two or more firewall in one environment is enough to create a management nightmare. Is duplication an option which should be considered like a best practice approach or when you have consistent hardware environment (juniper , juniper , pix , pix etc).
With duplication you eliminate the degree of uncertainty of speculation or assumption of firewall at different layer would have a certain policy to block certain service/ port but in actuality its quiet the opposite where the service is not being stopped or disallowed by the firewall. Duplication would solve the problem but than as i said it again it has to do with interoperability among other issues. Can someone please like to comment on the scenario