Re: [OT ish] Router vs Firewall - corporate environment



Hey Martin,


On Tue, 2010-02-02 at 13:38 +0000, martin wrote:

We're in the process of planning to split up our corporate network -
ie, a subnet for servers, one for users, one for admins etc etc.

<snip>

Now a debate has started over whether we should use the router to
split up our network, or whether we should go to the extra expense of
buying a firewall to do this.

First off, kudos on deciding to segment out the internal network based
on security zones. This will make it much easier to detect/contain
Malware if a system gets whacked.

As I understand it, if I send a request
from subnet 1 to subnet 2 on port 80, the source port (is over 1024)
would have to be open for the reply to come back from subnet 2 to
subnet 1. However, as firewalls are stateful, they do not require
this - I would just need to open port 80 to subnet 2.

Sort of. A stateful firewall still needs that return port opened, if
just does it for you automatically. With a static set of rules you will
need to permit all ACK traffic above 1023, all of the time. Stateful
only opens the socket when an outbound request is actually active.

So for example an nmap '-sA' scan will blow right through the router. It
should not be able to get past a good stateful firewall setup.

Apart from the greater logging capabilities, this is the only reason I
can come up with to use a firewall.

First off the logging is pretty major. Cisco routers rate limit their
logging so you never actually see all the traffic. Further, they can
generate log irregularities. For example you'll find that all of your
ICMP traffic looks like Echo-Replies unless you define rules for every
single type/code.

Does anybody have any additional
suggestions as to why we should use a firewall ?

More secure posture, better control of complex apps (FTP, VoIP, etc),
etec. etc. Think of all the reasons why people do not trust routers as
their only line of defense and you'll get the idea.

Or likewise, why a firewall might not be necessary.

These days you need to plan on Malware getting past your perimeter and
take steps to mitigate/contain/detect when possible. If you are running
NAC, HIPS or app control, that will take up much of the slack.

As for a specific recommendation, can't say for sure. Don't know what
other security steps you've taken, what business you are in, how much
risk you can live with, etc. etc. Its like trying to figure out when a
puzzle piece goes without having the rest of the puzzle to look at. ;-)

HTH,
Chris
--
www.chrisbrenton.org


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    (Security-Basics)
  • Re: Alias in different subnet on card
    ... Alias in different subnet on card ... > I'm running a firewall at the moment using FreeBSD 5.2.1 and IPFW. ... > this by adding an alias to xl1, ... > have to get another network card? ...
    (freebsd-questions)
  • Re: [fw-wiz] scanning...
    ... > ports are allowed through the firewall for each host... ... > cant see the port... ... > subnet and go ... > do network discovery and even seems that it will do so via whatever port you ...
    (Firewall-Wizards)
  • Re: 2nd DHCP Scope?
    ... I only have one subnet. ... As far as the router, there is an eithernet port with the IP of 172.20.4.1. ... the firewall is a Fortigate 100. ... Of course the 7 and 8 network are connected ...
    (microsoft.public.windows.server.networking)
  • Re: [fw-wiz] Thoughts on the new Cisco ASA 5500 firewalls
    ... Most good network designs ... Are you proposing that all security functions should be consoldated into ... configured stateful firewall blocks more. ...
    (Firewall-Wizards)