Re: [fw-wiz] Host based vs network firewall in datacenter

• Previous message: Adam Jones: "Re: [fw-wiz] so much for "deny all""
• In reply to: Zurek, Patrick: "[fw-wiz] Host based vs network firewall in datacenter"
• Next in thread: Daniel Linder: "Re: [fw-wiz] Host based vs network firewall in datacenter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Zurek, Patrick" <pzurek@uillinois.edu>
Date: Fri, 10 Jun 2005 10:53:33 -0500

My opinion is that anything you can do is better than nothing.

I often come across people who KNOW what's wrong with their
implementations, and they bury their head in the sand regarding it. I
am glad to see you are not one of those people.

I think one thing you are asking is how, regarding the network, do I
make this implementation better. I think you are on the right track.
However, as someone concerned about security, I don't think you should
limit yourself to that line of thinking. There are best-practices you
should adhere to when putting together a system like this. I might pose
the question of how difficult would it be to separate the application
layer from the data layer in your environment, and what would you gain
from doing so? I think app and data residing on the same machine is
generally a bad idea...not from just a data security standpoint, but if
I lose my application server for whatever reason (lightning), guess
what? My data is fried as well. It is always better in my opinion (not
necessarily from *security to keep other people out* point of view) to
keep all your eggs in different baskets.

In addition, I for one use firewalls/IDS of some sort on any/all
applicable servers. I've also written my own scripts to automate the
functionality of them if applicable...so I don't have to keep disparate
rulesets on them all.

Also, think accountability. Even if you can't put more *security
controls* in place, do you believe you can track down a security breach
if it happened? Is there enough applicable logging going on to see
who/what caused your breach? Do you have the knowledge to use all this
logging to your advantage?

Being originally from the gov't sector myself in the USDA, I often found
that we needed to put security controls in place to give us
accoutability and to prevent our machines from being used as
repositories for unnecessary stuff...*hackers* tried to break in to use
our servers as free space areas for whatever...not necessarily stealing
our data because it was public domain data (GIS hi-res satellite
pictures) anyway. Where I'm going here, is your application of whatever
will depend on what you're trying to protect and why. Since moving on
to my current job, my application of security controls has changed
because the data I'm protecting is different, and the motives for
getting it would be completely different.

Before you just decide to turn on a firewall here and there, you need to
ask yourself why you're turning it on in the first place (not saying you
don't need it), and ask yourself what you're trying to protect.
Personally, I would be more worried about the way your application is
architected than firewalls at this point.

Zurek, Patrick wrote:

> Hi all,
> I graduated from university not long ago and assumed my first job as network administrator in a small datacenter. I've been lurking here for a while and reading the archives. I've learned a lot from what many of you have had to say, but I'm having difficulty making the jump from the theory behind the way things should be run (ie. the network design maps that show the little switch, router & firewall symbols) and the practical applications of that. I was also reluctant to make this post in fear of getting flamed for having what will come across as a cluess attitude about network security. Instead of flaming, please correct me, I want to learn.
>
> I'd like to solicit some advice on a firewall implementation. Our solaris only site has two main components, a web presence which connects to a backend application running on top of Oracle, and a custom application (which unfortunately also runs on the same host as the database) to which our clients connect. So all our servers need to be internet facing including the database. Our servers range from small Sun V100s to a F15k. We do not have a firewall or a NIDS and we do not have administrative control of the router on which to apply stateless ACLs. This was the situation when I arrived. Fortunately, our hosts are properly configured and reasonably hardened by a competent system adminstrator. Just recently I've had some luck with management in getting a span port enabled on the switch - in a month or so I hope to have up a BSD monitoring platform running snort/sguil off a dedicated tap.
>
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
>
> 1) Does not seem feasible to continue to operate this way.
>
> 2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a network firewall would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed. I don't want to purchase something like:
>
> "- Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
> properly
> - There is no correlation between cost and effectiveness
> of security products"
>
> as MJR said last week. I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea?
>
> 3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of firewall functions.
>
> Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way security should be done, and actually implementing it, I'd appreciate any advice and help.
>
> Thanks for reading,
>
> Pat
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Adam Jones: "Re: [fw-wiz] so much for "deny all""
• In reply to: Zurek, Patrick: "[fw-wiz] Host based vs network firewall in datacenter"
• Next in thread: Daniel Linder: "Re: [fw-wiz] Host based vs network firewall in datacenter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]