Re: [fw-wiz] Firewall Placement Question


I would like to suggest you to go for a solution that integrates the wireless security with the perimeter security of the university you are working with. SonicWALL could be an option to begin with. They have a Product for firewalls with wireless security.
You also have an option to go for User Based security configuration where you can block specific users from accessing particular networks or websits. You can set a policy for the rouge access points which provide you with an option to configure NAC for the network jacks.

Since you have said that ?Also being a university we have a hard time trusting our users and enforcing anti-virus installations and patching.?, you can group those users and apply special policies for them which would enable to control the sites being accessed.
Most of the solutions available in the market will allow you to configure Guest profiles for the wireless users.

If you already have purchased such a solution for your university you can use the following pointers for the deployment of the security policy throughout the network:

· Guest Accounts for the wireless suers
· Add a group of the students in the university and configure a special policy specifying the blocked and allowed conmtent, sites.
· Configure a policy for the Rouge Access points (network jacks) specifying their ability to access the networks.
· Configure a compliance policy for the network which wioll specify the minimum system configuration along with the software in order to access/enter the network. In this way you can enforce the installation of the antivirus software to the clients.
· In order to take historically abusive users off the network, you can add them in a specific group and prohibit all the access to that group.
· With the SonicWALL firewalls, you can configure the rules between zones, in your case it will be the server farm and the users in the network, and create exceptions if a user needs to access a particular port and later remove that exception from the system.
· As far as the internal filtering is concerned, you can achieve that using the zones and the user groups, and configuring access rules between them.

I wrote this article since I was working with the SonicWALL support and came across a lot of implementations on similar environments
Specified by Jason.

Thanks and Regards,
Aniket Amdekar

jason@xxxxxxxxxx wrote: I would like to hear some thoughts on the placement of a firewall. My
intent isn't to start a flame but to debate the usefulness of two
technologies inside the network firewall vs. IPS's.

The network which I manage is a university network that hasn't been looked
after very well with regards to security and access control. Right now
there is a head end firewall that's 'inverted' as we say - that is we
allow everything and just block a few things.

Between buildings we block a few ports on the l3 switches to 'contain

There are three major problems which we are trying to address separetely.

1. The Residence Halls are on the inside of the network. They are coming
off this summer.

2. Wireless users are on the inside of the network. We are building a
'guest wireless' system that will be live this summer as well.

3. There are open network jacks all around campus and no kind of NAC in
place. This isn't being addressed yet.

Also being a university we have a hard time trusting our users and
enforcing anti-virus installations and patching.

Recently there has been a push to install a transparent firewall in front
of the server farm. This is being done using a context on our firewall
services module that protects (be it poorly) the border at the internet.
However both the server network and internet border are being scanned by
an IPS.

The question is: given that we are working to take historically abusive
users off the network, is it really worth the time to install a firewall
in front of the servers or just use the IPS?

I wonder about the labor required to pull this off for almost 200 servers
(and Microsoft applications are a bitch). I fear it will be hell to
manage all the excpetions, ie. one user in a different building needs
access to a few administrative ports. Not to mention that after it's done
we'll spend days trying to work out the bugs of things that 'should just
work' and effects of application upgrades that change ports.

Lastly, is anyone doing any kind of filtering inside the network or is
only done at the border?


Jason Mishka
firewall-wizards mailing list

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now._______________________________________________
firewall-wizards mailing list