Firewall Wizards mailing list archives
Re: Host based vs network firewall in datacenter
From: "Daniel Linder" <dan () linder org>
Date: Fri, 10 Jun 2005 15:58:25 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick Zurek said:
These are the options as I see them: 1) Wide open - keep the hosts locked down tight and keep open services to a minimum. 2) Host based firewall - put ipf on the hosts 3) Network firewall behind the router - ???
1) Does not seem feasible to continue to operate this way.
I agree 100%.
2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a network firewall would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed.
[snip]
I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea?
I guess it all depends on your workload of the servers. If they are handling 1000's of packets per second, then the overhead of doing packet filtering on each client might be a bit overwhelming.
3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of firewall functions.
You might want to look into a Linux/BSD system setup as an in-line firewall. Basically, the system has two NICs setup as a bridge. The traffic IP addresses don't get translated, but the system can filter using IPTables rules. I think the latest Linux Journal discussed this setup. If you can't convince your bosses this step is necessary, present these scenarios to them: 1: Someone starts sending DoS traffic to your systems as they are no. Each machine has to investigate each packet and drop it themselves, plus intra-server traffic will be impacted. 2: Same situation, but you have a single firewall as a chokepoint. This single system is stopping all those 'bad' packets before they ever have a chance to get to your servers. This keeps your internal network available for the valuable traffic and the trash off it. Dan - - - - - Wait for that wisest of all counselors, Time. -- Pericles "I do not fear computer,I fear the lack of them." -- Isaac Asimov GPG fingerprint:9EE8 ABAE 10D3 0B55 C536 E17A 3620 4DCA A533 19BF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCqf7wNiBNyqUzGb8RAit5AJ9jMIltbrBZ4PmuJMLynXDix+209wCeMf3M f3VvSOXoEPtBeBnMnronXVE= =d3RI -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Transitive Trust: 40 million credit cards hack'd, (continued)
- RE: Transitive Trust: 40 million credit cards hack'd David Lang (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Host based vs network firewall in datacenter sin (Jun 30)
- Re: Host based vs network firewall in datacenter Kevin (Jun 16)