Re: [fw-wiz] Firewall Placement Question
- From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
- Date: Thu, 21 Feb 2008 16:34:44 -0500
I would look into PacketFence or Branford Software's Campus Manager. I used it while doing work in the Uni environment.
http://www.bradfordnetworks.com/products/overview.html
http://www.packetfence.org/
The biggest thing you failed to include in your comment was policy. How are the policies written for the students. What TOS' are in place for resnet use. You shouldn't expect a client NOT TO use P2P if they haven't been implicitly told "Terms of use legalese wording goes here states thou shall not use P2P on our network" (remember the student's tuition payments pay your salary (technically) so think of them as clients and not students). Policies go a long way when it comes time to cut off connections.
What should be done is control on all levels. What is the environment like, collapsed core, three tiered (access, distribution, core). Placing an IPS won't necessarily alleviate/resolve your issues. So you place an IPS and 20 firewalls in my way to block me from using P2P... I decide to tunnel, then what?
Look at how your network is designed and take excerpts from standards, and best practices: (Cisco SAFE... while not the epitome of what I would particularly call SAFE... Its a baseline) http://tinyurl.com/29cfto
Personally I'd start with re-vamping policies so no clients cry foul when you place them on a VLAN to nowhere. There is a lot you could do without a firewall and (uberBuzzworded) IPS if the design was carefully looked at, re-designed and deployed. Something I always refer to from Cisco CCSP studies "Secure Monitor Test Improve" in this case - Monitor (see what's going on) Secure (make the necessary changes you need to make) Improve (improve on those changes).
As for the answer to the buzzword hype... IPS = overrated. Placement... Depends on your network. If you're using Cisco routers and they can handle it, depending on what kind of network your running, (Collapsed Core, etc.) you could get by with some crafty CBAC's, VLANs to knowhere, syslog, some expect scripts. Get creative ;) ... I made myself a VoIP IPS using syslog and expect... Impressed myself for two minutes real world means little, my network differs from others.
--
====================================================
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)
wget -qO - www.infiltrated.net/sig|perl
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Firewall Placement Question
- From: Marcus J. Ranum
- Re: [fw-wiz] Firewall Placement Question
- References:
- Re: [fw-wiz] syslog and network management
- From: Darden, Patrick S.
- [fw-wiz] Firewall Placement Question
- From: jason
- Re: [fw-wiz] syslog and network management
- Prev by Date: Re: [fw-wiz] syslog and network management
- Next by Date: Re: [fw-wiz] syslog and network management
- Previous by thread: Re: [fw-wiz] Firewall Placement Question
- Next by thread: Re: [fw-wiz] Firewall Placement Question
- Index(es):
Relevant Pages
|
|
