Re: Host based vs network firewall in datacenter

[Devdas Bhagat <devdas () dvb homelinux org>]

On 07/06/05 12:33 -0500, Zurek, Patrick wrote:
> Hi all,
> I graduated from university not long ago and assumed my first job as
> network administrator in a small datacenter.  I've been lurking here for
> a while and reading the archives.  I've learned a lot from what many of
> you have had to say, but I'm having difficulty making the jump from the
> theory behind the way things should be run (ie. the network design maps
> that show the little switch, router & firewall symbols) and the practical
> applications of that.  I was also reluctant to make this post in fear
> of getting flamed for having what will come across as a cluess attitude
> about network security.  Instead of flaming, please correct me, I want
> to learn.

I haven't seen too many flames on posters here asking questions :).

> I'd like to solicit some advice on a firewall implementation.  Our
> solaris only site has two main components, a web presence which connects
> to a backend application running on top of Oracle, and a custom
> application (which unfortunately also runs on the same host as the
> database) to which our clients connect.  So all our servers need to
> be internet facing including the database.  Our servers range from

Is there any possibility of moving the custom application off the
database? Is there any possibility of moving the application to an
easily proxied protocol?

> small Sun V100s to a F15k.  We do not have a firewall or a NIDS and we
> do not have administrative control of the router on which to apply
> stateless ACLs.  This was the situation when I arrived.  Fortunately,
> our hosts are properly configured and reasonably hardened by a
> competent system adminstrator.  Just recently I've had some luck
> with management in getting a span port enabled on the switch - in a
> month or so I hope to have up a BSD monitoring platform running
> snort/sguil off a dedicated tap.
>
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services
> to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
>
> 1) Does not seem feasible to continue to operate this way.
Keeping the hosts locked down tight, and open services to a minimum is a
good idea. If possible, have Oracle only listen to a Unix socket, or the
loopback interface.
 
> 2) As a short term measure I have applied ipfilter on several of our
> non production hosts.  My manager has began to advocate putting it on
> all production systems now (about 15 hosts).  At first I thought this
> would be a bad idea, as a network firewall would ease administration
> and having to administer seperate rule sets for each server would be

How about a *BSD box in front with stateful firewalling rules, and some
additional rules on each host?

> unwieldy. However, after reading the opinions of certain members of
> the list, I'm at a loss as to how to proceed.  I don't want to purchase
> something like:
>
> "- Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
>         properly
> - There is no correlation between cost and effectiveness
>         of security products"
>
> as MJR said last week.  I'm interested in using the right tool for the job.
> Is ipf on a production Sun 15k a good idea?
>
> 3) This option is good because it will allow us to apply stateless ACLs
> at the gateway and centralize the management of firewall functions.
>
> Bearing in mind that I'm still relatively new to this, and that I'm having
> trouble bridging the gap between the way security should be done, and
> actually implementing it, I'd appreciate any advice and help.

1> Define a policy.
2> Write it down.
3> Map the policy to your firewalling rules. This includes deciding what
traffic to allow on what ports, and what protocols you need to proxy.
Consider implementing a reverse proxy with squid, filtering out unusual
URLs at a minimum.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards