[fw-wiz] Protecting a datacentre with a firewall

From: Lazlů Carreidas (LazloCarreidas_at_netscape.net)
Date: 05/02/03

  • Next message: Jim Seymour: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 02 May 2003 16:07:06 -0400
    

    Hi Wizards

    I am working for a multinational company. Our IT management is worried that somebody could abuse our WAN infrastructure, and use it to attack our servers in the Headquarters (we have centralised here core business systems, and so they are used from everywhere in the world).

    Therefore, they have asked us (the security unit) to study and plan the installation of a firewall (most certainly a Cisco PIX) cluster (for failover) that would "isolate" the datacentre (about 150 servers running different flavours of Windows, NetWare, UNIX and OS/400) from the rest of the network infrastructure.

    I already know that it would be quite difficult. For example, we would need to get rid of all legacy protocols other than IP (IPX, SNA and NetBIOS for sure), have to document every address and port needed to be accessed by the users, etc...

    The main concern of our colleagues in the network unit is that we would need to span all the traffic to one (or maybe a bit more) interface on the firewall, which would maybe overload the core switch. There would also be latency issues, etc...
    Our main concern is of course the management of this firewall, due to the huge number of systems involved.

    We would like to know your opinion on this subject, if somebody did that already, it there would be better ways (ACLs and routers and switches, for example), if choosing a PIX is a good idea (performance, for example) and even if it is feasible...

    Thank you for your input

      Lazlů

    __________________________________________________________________
    Try AOL and get 1045 hours FREE for 45 days!
    http://free.aol.com/tryaolfree/index.adp?375380

    Get AOL Instant Messenger 5.1 for FREE! Download Now!
    http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jim Seymour: "Re: [fw-wiz] Soap - Was RPCs over HTTPS through the firewall"

    Relevant Pages

    • Re: VTAM security issue
      ... Since I have been reminded by another burst of FUD regarding VTAM and SNA, ... JM> For one it is hardly every used and its encryption has not kept up with all ... there was a failure in the IP firewall definitions, ...
      (bit.listserv.ibm-main)
    • Re: VTAM security issue
      ... consider the need for a "SNA Firewall". ... So it's less expensive to purchase the "SNA firewall" product than to train ... move to bullet proof your SNA network. ... Server - providing IP connectivity. ...
      (bit.listserv.ibm-main)
    • RE: BlasterWorm
      ... I can not say for sure if the AOL Instant Messenger will work behind the XP ... firewall, you would have to consult AOL for an answer to that question as ... to download the patch and install it. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: IPX
      ... >my network administrator tell me that is impossible to open firewall for IPX ... >protocoll. ... The same applies for VPN. ...
      (comp.security.firewalls)
    • Re: Ping ohne Antwort - fehlt Dienst?
      ... > Du hast vermutlich eine Firewall an, ... hast Du zusštzlich IPX installiert. ... Funzt. ... Supi. ...
      (microsoft.public.de.german.windowsxp.sonstiges)