Re: [fw-wiz] Host based vs network firewall in datacenter
From: Alin-Adrian Anton (aanton_at_spintech.ro)
Date: 06/16/05
- Previous message: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
- In reply to: Devdas Bhagat: "Re: [fw-wiz] Host based vs network firewall in datacenter"
- Next in thread: Marcus J. Ranum: "[fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Reply: Marcus J. Ranum: "[fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Reply: sin: "Re: [fw-wiz] Host based vs network firewall in datacenter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Thu, 16 Jun 2005 16:02:59 +0300
Devdas Bhagat wrote:
> On 07/06/05 12:33 -0500, Zurek, Patrick wrote:
>
>>Hi all,
>>I graduated from university not long ago and assumed my first job as
>>network administrator in a small datacenter. I've been lurking here for
>>a while and reading the archives. I've learned a lot from what many of
>>you have had to say, but I'm having difficulty making the jump from the
>>theory behind the way things should be run (ie. the network design maps
>>that show the little switch, router & firewall symbols) and the practical
>>applications of that. I was also reluctant to make this post in fear
>>of getting flamed for having what will come across as a cluess attitude
>>about network security. Instead of flaming, please correct me, I want
>>to learn.
>
No matter what kind of network you have, you need at least one firewall
at the border with the Internet.
Having a datacenter without a fast firewall at the border, is simply insane.
The machine at the border can be some expensive hardware, like a cisco,
or can be a powerful BSD-based packet filter, sitting on powerful
hardware (the best you can get, Intel based).
If you chose cisco-like solution, chose an expensive one. You defenately
need it (because expensive ones can handle smarter ACLs and keep state
much better, and also can resist to DDoS over 100 Mbps. Cheap ones may die).
If you chose BSD solution use ipfw (fastest), or pf (best in terms of
what it can do). Pf on FreeBSD with Intel "FXP" cards is able to use the
hardware chip for checking CRC of the packets. This feature is only
available on FreeBSD, and as far as I know nobody ported it to other OS.
Having hardware to check for checksums greatly improves performance,
even over ipfw.
I would not chose a linux based solution for firewalling high loads of
evil traffic.
Even better, if you can afford it, you can have both: the cisco and the
BSD, cisco sitting maybe in front of the BSD. This way you also keep a
simple and good control of what goes in and what goes out, and you can
cut down packets which the hardware firewall missed (it happens).
In case of a serious DDoS problem, you can even enable statefull ACL
version (keep it somewhere) on the BSD box, to really cut down whatever
the hardware firewall skips into the internal network.
On the inside land, it may be a very good idea to use any kind of
firewall you want on each machine, in order to limit access to SNMP (if
you are going to monitor them via SNMP), and so on. You should use a
different switch for the monitoring connection, such that an internal
server cannot impersonate you in any way (arp, ISN prediction, etc).
Limit all services to what they really need to accept, and nothing else.
If they are not going to use the LAN, always bind them on the local
interface.
Each host inside the lan should not trust anyone from the LAN, so
writing down what is strictly needed for each of them is a good thing.
Implementing it is the next step, I just pointed some ideas.
Always consider an attacker is somewhere inside, and try to evoid
exposing any other machine to him.
Just my opinions.
Yours,
-- Alin-Adrian Anton GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785 2F7C 5823 ABA0 1830 87BA) gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA "It is dangerous to be right when the government is wrong." - Voltaire _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
- In reply to: Devdas Bhagat: "Re: [fw-wiz] Host based vs network firewall in datacenter"
- Next in thread: Marcus J. Ranum: "[fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Reply: Marcus J. Ranum: "[fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Reply: sin: "Re: [fw-wiz] Host based vs network firewall in datacenter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
