RE: [fw-wiz] Host based vs network firewall in datacenter

From: Paul Melson (psmelson_at_comcast.net)
Date: 06/13/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?" 
    To: "'Zurek, Patrick'" <pzurek@uillinois.edu>, <firewall-wizards@honor.icsalabs.com>
Date: Mon, 13 Jun 2005 13:11:35 -0400

    Pat, I think you're on the right track, but I would suggest maybe taking a
    more holistic approach to your network. I don't think you've come close to
    an exhaustive list of options.

    For instance, option #1 is a basic hardening approach which involves
    patching and disabling unneeded processes. This deals with security at the
    application level. Options #2 & #3 deal with just filtering network
    traffic. Is your only point of vulnerability via the network? Does it only
    exist at services that are NOT in use? Or is it possible (or perhaps even
    more likely) that services you want to allow through your filters are usable
    attack vectors. So how about normalizing application traffic through a
    proxy, or at least encryption and authentication?

    Also, you mention a NIDS project you're undertaking, but what about attacks
    against those systems that take place over encrypted channels or terminals
    or simply aren't part of the mainstream vulnerability lexicon? What
    monitoring and controls do you have to ensure that your authenticated users
    are authorized users, and that those authorized users only do what they are
    authorized to do? What about RBAC? Or a host-based IDS/IPS product?

    I realize I've answered your questions with more questions. I hope I'm
    giving you more food for thought regarding access control to your systems.
    There's plenty more where that came from. :)

    You have a lot of bases to cover and a lot of things to consider beyond the
    three options you list below, all of which serve to reduce the risks of
    compromise and loss.

    PaulM

    PS - Since I hate the answer I just gave you, if you want my non-refundable
    $0.02 worth of advice, go with #1 AND #2. Of the options you're already
    considering, I think that gives you the most direct benefit.

    -----Original Message-----
    Subject: [fw-wiz] Host based vs network firewall in datacenter

    These are the options as I see them:
    1) Wide open - keep the hosts locked down tight and keep open services to a
    minimum.
    2) Host based firewall - put ipf on the hosts
    3) Network firewall behind the router - ???

    1) Does not seem feasible to continue to operate this way.

    2) As a short term measure I have applied ipfilter on several of our non
    production hosts. My manager has began to advocate putting it on all
    production systems now (about 15 hosts). At first I thought this would be a
    bad idea, as a network firewall would ease administration and having to
    administer seperate rule sets for each server would be unwieldy. However,
    after reading the opinions of certain members of the list, I'm at a loss as
    to how to proceed. I don't want to purchase something like:

    "- Some of the products we're buying simply don't work
    - Some of the products we're buying aren't being used
            properly
    - There is no correlation between cost and effectiveness
            of security products"

    as MJR said last week. I'm interested in using the right tool for the job.
    Is ipf on a production Sun 15k a good idea?

    3) This option is good because it will allow us to apply stateless ACLs at
    the gateway and centralize the management of firewall functions.

    Bearing in mind that I'm still relatively new to this, and that I'm having
    trouble bridging the gap between the way security should be done, and
    actually implementing it, I'd appreciate any advice and help.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

    Relevant Pages

    • Re: [fw-wiz] Host based vs network firewall in datacenter
      ... > network administrator in a small datacenter. ... > I'd like to solicit some advice on a firewall implementation. ... Keeping the hosts locked down tight, and open services to a minimum is a ...
      (Firewall-Wizards)
    • Re: Using netmask ffffffff
      ... I am not trying to use the /32 mask for my entire network. ... The most important thing these new hosts need is connection to the outside ... The trouble is that even if I set-up firewall rules to filter their ... the switch they are all connected to, as only their internet traffic will ...
      (comp.unix.bsd.freebsd.misc)
    • RE: [fw-wiz] Host based vs network firewall in datacenter
      ... MJR should chip in, since his posts seem to have caused you some mental anguish. ... | 1) Wide open - keep the hosts locked down tight and keep open services to ... | production systems now. ... as a network firewall would ease administration and having to ...
      (Firewall-Wizards)
    • Re: FM6 Networking problem
      ... - you'd better assign a fixed IP on PC-A. ... It should be 192.168.0.100 for instance, plus Sub network set as ... chase them and disconnect every of them such as XP SP2 firewall, ... > I can hit the 'Hosts' button, then 'Local Hosts', then sometimes ...
      (comp.databases.filemaker)
    • Re: No Network.........!
      ... I can access internet but iam unable to access other hosts in ... network from this machine.. ... > is most often caused by a misconfigured firewall. ... > have one firewall running on the troubled machine and that it is ...
      (microsoft.public.windowsxp.network_web)