[fw-wiz] Host based vs network firewall in datacenter

From: Zurek, Patrick (pzurek_at_uillinois.edu)
Date: 06/07/05

  • Next message: FirewallAdmin: "RE: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 7 Jun 2005 12:33:53 -0500

    Hi all,
    I graduated from university not long ago and assumed my first job as network administrator in a small datacenter. I've been lurking here for a while and reading the archives. I've learned a lot from what many of you have had to say, but I'm having difficulty making the jump from the theory behind the way things should be run (ie. the network design maps that show the little switch, router & firewall symbols) and the practical applications of that. I was also reluctant to make this post in fear of getting flamed for having what will come across as a cluess attitude about network security. Instead of flaming, please correct me, I want to learn.

    I'd like to solicit some advice on a firewall implementation. Our solaris only site has two main components, a web presence which connects to a backend application running on top of Oracle, and a custom application (which unfortunately also runs on the same host as the database) to which our clients connect. So all our servers need to be internet facing including the database. Our servers range from small Sun V100s to a F15k. We do not have a firewall or a NIDS and we do not have administrative control of the router on which to apply stateless ACLs. This was the situation when I arrived. Fortunately, our hosts are properly configured and reasonably hardened by a competent system adminstrator. Just recently I've had some luck with management in getting a span port enabled on the switch - in a month or so I hope to have up a BSD monitoring platform running snort/sguil off a dedicated tap.

    These are the options as I see them:
    1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
    2) Host based firewall - put ipf on the hosts
    3) Network firewall behind the router - ???

    1) Does not seem feasible to continue to operate this way.

    2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a network firewall would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed. I don't want to purchase something like:

    "- Some of the products we're buying simply don't work
    - Some of the products we're buying aren't being used
            properly
    - There is no correlation between cost and effectiveness
            of security products"

    as MJR said last week. I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea?

    3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of firewall functions.

    Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way security should be done, and actually implementing it, I'd appreciate any advice and help.

    Thanks for reading,

    Pat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: FirewallAdmin: "RE: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"

    Relevant Pages

    • RE: [fw-wiz] Vulnerability Response
      ... >>two evolving solution spaces that solve real problems. ... > management effort scales with the number of hosts. ... change control is an _enemy_ when talking about rank and file ... but not even the mjr perfectly secure firewall will work ...
      (Firewall-Wizards)
    • Re: Using netmask ffffffff
      ... The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc. ... the new hosts should not be able to directly contact each-other or the majority of my internal network. ... The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: XP vulnerabilities?
      ... Note that I also questioned your use of the "Corporate Edition" of Windows. ... If you were indeed running a network of 5 or more hosts for which you ... firewall host running the firewall software through which all your intranet ... export their rules so you can migrate them easily to another host, but NIS ...
      (alt.computer.security)
    • Re: HELP ! ipfw et natd
      ... > So the problem for me was to remark that the DNS of my IPS (193.252.19.3 it ... I don't think the nameserver's IP changed because of the firewall. ... Propagation of the change to your LAN hosts is another thing. ... well) and pointing the LAN hosts to the FreeBSD box as their nameserver. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Firewall - Very limited Access - suggestions
      ... we'd like VERY LIMITED access by the Windows ... They do not need to know what firewall ... protocols and hosts and if their tools are firewall ... Then with the necessary info from the vendor the questions to groups ...
      (Fedora)