[fw-wiz] Firewall Placement Question
- From: jason@xxxxxxxxxx
- Date: Wed, 20 Feb 2008 21:36:51 -0500 (EST)
I would like to hear some thoughts on the placement of a firewall. My
intent isn't to start a flame but to debate the usefulness of two
technologies inside the network firewall vs. IPS's.
The network which I manage is a university network that hasn't been looked
after very well with regards to security and access control. Right now
there is a head end firewall that's 'inverted' as we say - that is we
allow everything and just block a few things.
Between buildings we block a few ports on the l3 switches to 'contain
outbreaks'.
There are three major problems which we are trying to address separetely.
1. The Residence Halls are on the inside of the network. They are coming
off this summer.
2. Wireless users are on the inside of the network. We are building a
'guest wireless' system that will be live this summer as well.
3. There are open network jacks all around campus and no kind of NAC in
place. This isn't being addressed yet.
Also being a university we have a hard time trusting our users and
enforcing anti-virus installations and patching.
Recently there has been a push to install a transparent firewall in front
of the server farm. This is being done using a context on our firewall
services module that protects (be it poorly) the border at the internet.
However both the server network and internet border are being scanned by
an IPS.
The question is: given that we are working to take historically abusive
users off the network, is it really worth the time to install a firewall
in front of the servers or just use the IPS?
I wonder about the labor required to pull this off for almost 200 servers
(and Microsoft applications are a bitch). I fear it will be hell to
manage all the excpetions, ie. one user in a different building needs
access to a few administrative ports. Not to mention that after it's done
we'll spend days trying to work out the bugs of things that 'should just
work' and effects of application upgrades that change ports.
Lastly, is anyone doing any kind of filtering inside the network or is
only done at the border?
Thoughts?
Regards,
Jason Mishka
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Firewall Placement Question
- From: Dale W. Carder
- Re: [fw-wiz] Firewall Placement Question
- From: Darden, Patrick S.
- Re: [fw-wiz] Firewall Placement Question
- From: Richard Golodner
- Re: [fw-wiz] Firewall Placement Question
- From: J. Oquendo
- Re: [fw-wiz] Firewall Placement Question
- From: firewallwizards
- Re: [fw-wiz] Firewall Placement Question
- From: Dan Lynch
- Re: [fw-wiz] Firewall Placement Question
- From: Aniket S. Amdekar
- Re: [fw-wiz] Firewall Placement Question
- References:
- Re: [fw-wiz] syslog and network management
- From: Darden, Patrick S.
- Re: [fw-wiz] syslog and network management
- Prev by Date: Re: [fw-wiz] syslog and network management
- Next by Date: Re: [fw-wiz] syslog and network management
- Previous by thread: Re: [fw-wiz] syslog and network management
- Next by thread: Re: [fw-wiz] Firewall Placement Question
- Index(es):
Relevant Pages
|
|
