Firewall Wizards mailing list archives
RE: Host based vs network firewall in datacenter
From: "Rik Schneider" <riks () wni com>
Date: Fri, 10 Jun 2005 16:08:05 -0500
From: Zurek, Patrick - Tuesday, June 07, 2005 12:34 PM To: firewall-wizards () honor icsalabs com
These are the options as I see them: 1) Wide open - keep the hosts locked down tight and keep open services
to > a minimum.
2) Host based firewall - put ipf on the hosts 3) Network firewall behind the router - ???
You forgot to mention: 4) Do both 2 and 3 above. 3 alone is like an M&M - hard and crunchy on the outside, soft and tasty on the inside. If you can only do one or the other #2 is where I would start. Remember that the hosts likely have no need to ftp/telnet/ssh/http/snmp/etc to/from each other.
1) Does not seem feasible to continue to operate this way.
I agree.
2) As a short term measure I have applied ipfilter on several of our
non
production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this
would be
a bad idea, as a network firewall would ease administration and having
to > administer separate rule sets for each server would be unwieldy. However, > after reading the opinions of certain members of the list, I'm at a loss
as to how to proceed. I don't want to purchase something like: "- Some of the products we're buying simply don't work - Some of the products we're buying aren't being used properly - There is no correlation between cost and effectiveness of security products" as MJR said last week. I'm interested in using the right tool for the
job. Is ipf on a production Sun 15k a good idea?
IPF works well but depending on your support requirements you may need to look at a commercial solution. If you are using Solaris 8 or 9 and are under sun support you may want to look at Sunscreen Lite but I still prefer ipfilter.
3) This option is good because it will allow us to apply stateless
ACLs at > the gateway and centralize the management of firewall functions. There are many solutions for this, some as simple as putting a BSD (or Linux or ...) box up as a bridge and again using IPF for packet filtering to buying one of the many appliances. Bear in mind that the stance should be to deny everything by default and then turn on only what is truly needed.
Bearing in mind that I'm still relatively new to this, and that I'm
having > trouble bridging the gap between the way security should be done, and
actually implementing it, I'd appreciate any advice and help.
Start by playing with whatever non-production equipment you can. Don't just look at normal operations but failure modes as well. I know of at least one AV solution, for email, that will pass all messages if the quarantine area gets full. As MJR has pointed out the best firewall is no network connection. Think about what you want to accomplish with the network connection and then configure appropriately.
Thanks for reading,
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Transitive Trust: 40 million credit cards hack'd, (continued)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Host based vs network firewall in datacenter sin (Jun 30)
- Re: Host based vs network firewall in datacenter Kevin (Jun 16)