RE: [fw-wiz] Defense in Depth to the Desktop

From: Chris Pugrud (cpugrud_at_yahoo.com)
Date: 12/08/04

  • Next message: Chris Pugrud: "[fw-wiz] protection models" 
    To: Scott Stursa <stursa@mailer.fsu.edu>
Date: Wed, 8 Dec 2004 13:48:06 -0800 (PST)

    --- Scott Stursa <stursa@mailer.fsu.edu> wrote:

    > Really? On what kind of hardware?
    >
    > Our experience, at least with CAT6500s running SUP2, is that CBAC can
    > be a real dog (Context Based Access Control, the "stateful inspection"
    > piece of Firewall Feature Set). It works okay for small departmental nets,
    > but if you have 150+ desktops busily accessing numerous resources outside
    > their subnet (i.e., through the CBAC ACL), it can have a serious
    > performance impact.
    >
    > And don't even think about running it on a CAT5500/RSM.
    >
    > Don't know about a 6500 equipped with a SUP720, but even if the
    > performance is improved, functionally FFS is no substitute for a PIX or a
    > FWSM.

    Without a doubt a dedicated firewall appliance is the way to go for this
    application. I'm able to get away with CBAC in the current environment, even
    with a few thousand clients, because the rules are so simple and CBAC is only
    controlling access to a handful (five) servers (AD and MSX). As the system
    expands to accomodate more server subnets, either PIX blades or Netscreens are
    in the future.

    The one way nature is what leads to the operational and academic simplicity of
    the model. On the Server vlan interface there is no outbound ACL and CBAC is
    only inspecting UDP. On the inbound ACL about the only lines are "allow tcp
    established" and "deny ip any any". CBAC adds in, on average, about 30-40 very
    specific permit udp lines at the top of the list with a timeout of 30 seconds.
    That timeout could probably be cut back to 5-10 seconds without any impact.

    This is still POC operationally, but it does close a considerable gap between
    the perimeter (enclave) firewall and the desktop that exists in most
    organizations. I don't view it as replacing anything else, just another tool
    that is useful in acheiving defense in depth.

    chris
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Chris Pugrud: "[fw-wiz] protection models"

    Relevant Pages

    • Re: big security questions the deny access guy return
      ... > proxy and an iptables based firewall the last one have the webmail ... > is not a good idea to use the router as firewall is this write? ... Using snort on every server seems entirely excessive to me. ... Routers should have ACL rules in place to prevent bogus traffic (RFC ...
      (Security-Basics)
    • Re: Regarding Bypassing the firewall
      ... " CBAC maintains the connection state information for individual ... dynamically creates and deletes temporary openings in the firewall. ... between the client and the server is important for the administration ...
      (comp.security.firewalls)
    • Re: Squid Configuration
      ... for accept mylan or whatever you called it in your new acl above. ... Restart squid or the whole server and you should be able to web browse ... where 192.168.0.1 is the firewall box. ...
      (comp.os.linux.networking)
    • Re: Access list with dynamic address
      ... check if your router supports CBAC ... for a CBAC tutorial google for "The router is the firewall, ...
      (comp.dcom.sys.cisco)
    • Re: CEICW fails at firewall config
      ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
      (microsoft.public.windows.server.sbs)