The topic is "Is It More Secure to Use Firewalls from Two Different Vendors " Is not much safer using a multi-vendor firewall because "More than 95% of firewall breaches are caused by firewall misconfigurations, not firewall flaws."
Now, I want to use different vendors because if there is an vulnerability with one firewall, maybe a firewall from a different vendor does not have this vulnerability.is it, right ?
Using multiple firewalls in a row increases the complexity - both for the defender and also for the attacker. Properly configured such setup can significantly increase the security since the chance is high that different vendors have different strength and weaknesses.
If you only look at simple packet filter firewalls (i.e. layer 3 and layer 4 inspection, no application layer inspection) then there not that much difference on how these firewalls work. But the more complex firewalls which are capable of application layer inspection (using deep packet inspection or application proxies) differ a lot in how they inspect the application layer since the protocols and payloads involved are much more complex than layer 3 and 4. Thus, practically all of these firewalls have some weaknesses in application layer inspection but devices from different vendors usually don't have exactly the same weaknesses. This means that by combining these you get less weaknesses, of course at the cost of more costs and more complexity in administration.
As for the claim about misconfiguration: I don't know where this claims originates (some cite Gartner, some with 95% in 2018 and others with a projected 99% in 2020) and I don't know what kind of misconfiguration is meant by this claim. If it is a misconfiguration by design (i.e. overly broad policies, filtering disabled since it is a nuisance) then multiple firewalls will probably not help much to mitigate the misconfiguration problem. But if it is a misconfiguration by accident (maybe due to non-intuitive ways to configure the firewall) then multiple firewalls could actually make the chance for misconfiguration lower too, since the admin will probably not repeat all mistakes in all firewalls if the way the configuration must be done differs.
It's an interesting question, and actually, I've seen setups like this in my job, for example, I've seen one company use a Cisco ASA and then right behind it a Checkpoint firewall, and to be honest I can see the method to the madness.
However, considering a lot of firewalls issues are actually caused by a misconfiguration as stated in your post, so realistically, I don't see it making a massive impact.
When vulnerabilities are found in firewalls (and other products) most of the time they're rectified by the product security response teams very quickly, and usually all that's required is putting a new version of firmware on the device. The faster you carry out this upgrade the better. In general, I don't see this making a huge difference, if your firewall is proactively maintained and security threats are responded to quickly, I am not sure spending extra money and resources on maintaining two different firewalls is all that worth it.
In the end, it comes down to your threat model and your budget, I would say if you are protecting something really valuable, two different firewalls from different vendors is potentially beneficial - in the end, it is quite hard to answer this question as it does, in reality, come down to your threat model.
For security products that depend on “subscriptions” (antivirus definitions, phishing filters, etc), there is a strong argument for a layered defense with each layer coming from a different vendor.
For example: You may have malware filtering installed on your mail server, and you probably also have endpoint anti malware installed on your workstations. If an attacker sends some new zero day malware to you, and both products come from the same vendor, there is a high likelihood the malware will slip through BOTH layers of protection. However, if you use two different vendors, there is a chance that one vendor will catch something the other one missed.
This argument can be applied to firewalls with UTM, where they have built in malware and malicious site blocking. Your firewall’s malware protection should come from a different vendor than your endpoint protection.
