Re: [fw-wiz] Firewall Placement Question

If it were mine, I'd segment the h*ll out of the networks with stateful
firewalls, and find a NAC solution stat.

Divide your user community into at least two layers and segregate. All
students, dorms, unsecured jacks, wireless networks, etc. belong
together. Protecting one from another with IPS seems appropriate to
contain outbreaks. More or less trusted systems (over which you might
have better control of configs, patches, anti-virus, user behavior)
belong segregated from students. Especially if those systems are used to
connect to high-value apps. Use NAC to determine trusted from untrusted
workstations on unsecured jacks (meeting rooms, classrooms, etc.)

Your server environment could probably use at least three layers as
well. Hang internet-accessible servers off one firewall leg, hang
general purpose academic servers off another, and finally segregate
high-value servers (student records, financials, accounting, etc.) from
all of them.

The inverted rules might make sense in your environment, but only for
connections outbound to the internet. Sure it's higher risk, but I think
students expect the campus network to be generally wide open internet
access. A transparent HTTP proxy running anti-virus might be useful.
Connections from any user segment to any other, and inbound to any
server segment should be carefully restricted.

Yes MS apps can be a pain, but really only where they use RPC -- that
is, within a single AD domain. Dividing MS servers into domains that
more or less match firewall segregations makes things easier.

Best of luck,

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On
Behalf Of jason@xxxxxxxxxx
Sent: Wednesday, February 20, 2008 6:37 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Firewall Placement Question

I would like to hear some thoughts on the placement of a
firewall. My intent isn't to start a flame but to debate the
usefulness of two technologies inside the network firewall vs. IPS's.

The network which I manage is a university network that
hasn't been looked after very well with regards to security
and access control. Right now there is a head end firewall
that's 'inverted' as we say - that is we allow everything and
just block a few things.

Between buildings we block a few ports on the l3 switches to
'contain outbreaks'.

There are three major problems which we are trying to address
separetely.

1. The Residence Halls are on the inside of the network.
They are coming off this summer.

2. Wireless users are on the inside of the network. We are
building a 'guest wireless' system that will be live this
summer as well.

3. There are open network jacks all around campus and no kind
of NAC in place. This isn't being addressed yet.

Also being a university we have a hard time trusting our
users and enforcing anti-virus installations and patching.

Recently there has been a push to install a transparent
firewall in front of the server farm. This is being done
using a context on our firewall services module that protects
(be it poorly) the border at the internet.
However both the server network and internet border are being
scanned by an IPS.

The question is: given that we are working to take
historically abusive users off the network, is it really
worth the time to install a firewall in front of the servers
or just use the IPS?

I wonder about the labor required to pull this off for almost
200 servers (and Microsoft applications are a bitch). I fear
it will be hell to manage all the excpetions, ie. one user in
a different building needs access to a few administrative
ports. Not to mention that after it's done we'll spend days
trying to work out the bugs of things that 'should just work'
and effects of application upgrades that change ports.

Lastly, is anyone doing any kind of filtering inside the
network or is only done at the border?

Thoughts?

Regards,
Jason Mishka
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    (Security-Basics)
  • Re: Using a Linksys router, should I also use Zonealarm?
    ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    (microsoft.public.security)
  • RE: Hidden Ports
    ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
    (Security-Basics)
  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: Entire Network
    ... Internet access is different and just because a firewall isn't ... Second, if it isn't the firewall, then often it is a case of the system ... any way a network guru. ... > The network connection works just fine from both computers for internet ...
    (microsoft.public.windowsxp.basics)