Re: [fw-wiz] Host based vs network firewall in datacenter

From: Chuck Swiger (chuck_at_codefab.com)
Date: 06/11/05

  • Next message: Rob Hughes: "Re: [fw-wiz] so much for "deny all"" 
    To: "Zurek, Patrick" <pzurek@uillinois.edu>
Date: Fri, 10 Jun 2005 21:14:18 -0400

    Zurek, Patrick wrote:
    > I graduated from university not long ago and assumed my first job as network
    > administrator in a small datacenter. I've been lurking here for a while and
    > reading the archives. I've learned a lot from what many of you have had to say,
    > but I'm having difficulty making the jump from the theory behind the way things
    > should be run (ie. the network design maps that show the little switch, router
    > & firewall symbols) and the practical applications of that.

    Well, congratulations on your new position. The best way to move from theory
    to practice is to sent up a small test network or two, and see what "doing it
    for real (almost)" is like.

    There are two books that you need to get, read, and then re-read until you've
    gotten their contents down: "TCP/IP Network Administration", and "Building
    Internet Firewalls".

    > I was also reluctant to make this post in fear of getting flamed for having
    > what will come across as a cluess attitude about network security. Instead
    > of flaming, please correct me, I want to learn.

    While it's true that this list has some fine arguments, most of them are
    friendly. :-)

    > I'd like to solicit some advice on a firewall implementation. Our solaris
    > only site has two main components, a web presence which connects to a backend
    > application running on top of Oracle, and a custom application (which
    > unfortunately also runs on the same host as the database) to which our clients
    > connect. So all our servers need to be internet facing including the database.

    OK. I would start by confirming the requirement for being Internet-routable,
    especially with regard to the database, assuming that contains the stuff you
    want to protect.

    If you can put your DB on a private network and have just the few machines
    which genuinely need access able to talk with it, that would probably help your
    security out by a useful amount...

    [ ... ]
    > These are the options as I see them:
    > 1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
    > 2) Host based firewall - put ipf on the hosts
    > 3) Network firewall behind the router - ???
    >
    > 1) Does not seem feasible to continue to operate this way.

    This approach can work for a while, but it's dangerous.

    For instance, you can have services reappear after you apply a patch cluster,
    as a new version of the /etc/init.d scripts might be plunked down and turn
    stuff back on that you'd previous disabled....

    > 2) As a short term measure I have applied ipfilter on several of our non
    > production hosts. My manager has began to advocate putting it on all production
    > systems now (about 15 hosts).

    Host-based firewalls tend to be more useful on Windows boxes, since they can
    reduce viruses propogating outwards. Not as important on a Solaris box. It's
    better than nothing, but your network is still highly vulnerable a lot of
    things like IP spoofing via source-routing.

    > 3) This option is good because it will allow us to apply stateless ACLs at
    > the gateway and centralize the management of firewall functions.

    Yes. You can use a firewall as a bridge, not a router, if you don't want to
    adjust your subnetting and have to renetwork your production boxes.

    Whether you use stateless rules or dynamic ones is more a matter of taste and
    how you've locked the boxes down. The important thing is that the firewall
    will provide a chokepoint where you can inspect, block, and monitor traffic, as
    well as a spot to prevent people from spoofing internal IP addresses. 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Rob Hughes: "Re: [fw-wiz] so much for "deny all""

    Relevant Pages

    • Re: [fw-wiz] Host based vs network firewall in datacenter
      ... > network administrator in a small datacenter. ... > I'd like to solicit some advice on a firewall implementation. ... Keeping the hosts locked down tight, and open services to a minimum is a ...
      (Firewall-Wizards)
    • Re: Is Windows XP firewall any good?
      ... I believe that the original writer of that article is refering to network ... The function of a software firewall is simple. ... permitted is stored in the registry. ... administrator is a really bad idea for any operating system ...
      (microsoft.public.windowsxp.security_admin)
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • RE: Basic Network Configuration
      ... > IMHO the second rule is void, since no traffic should bypass the DMZ. ... that originates from your internal network. ... There is no point in implementing the same firewall ... >> really achieve this benefit if the boxes run different OS ...
      (Security-Basics)
    • Re: Why not use NETBEUI on Windows XP ??
      ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
      (microsoft.public.windowsxp.network_web)