Ask Norton, and McAfee, and they will both tell you two firewalls is
not a good conception. And as I posted earlier, if MS also agrees
that two firewalls are not a good configuration, then what is the
dispute?
Bruce:
1) Experience.
It can work without problems per several years of usage. However, I know
not to run two ID f/ws together, and I would not run another f/w on an ISA
server. And I test and look for conflicts.
2) Knowledge.
In general, there is not any technical reason that you cannot run multiple
stateless packet filtering firewalls together.
First f/w to receive the packets makes a drop or forward decision. If the
packet is forwarded, the next firewall makes a drop or forward decision. In
general, they act on the packets sequentially.
However, IMO, for more advanced firewalls that use ID, stateful filtering
(not the router SPI thingy), circuit level filtering, and application level
filtering the chance for problems/conflicts can increase.
Also, since f/ws can use different technologies, there can be benefits to
using multiple firewalls.
And, as another user recently posted, a trojan disabled one of his two
firewalls, but he was still protected by the second firewall.
3) IMO, companies have been known to make recommendations primarily to
reduce their end user troubleshooting costs and bad end user experiences.
However, there is always a risk that you may encounter conflicts. If you
are not willing take the risk (and do your own testing to verify
compatibility), then do not do it.
BTW, I have run Norton with ZA free and BlackIce at the same time without
any problems.