Firewall Wizards mailing list archives
Re: Firewall Placement Question
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Thu, 21 Feb 2008 15:19:04 -0800
If it were mine, I'd segment the h*ll out of the networks with stateful firewalls, and find a NAC solution stat. Divide your user community into at least two layers and segregate. All students, dorms, unsecured jacks, wireless networks, etc. belong together. Protecting one from another with IPS seems appropriate to contain outbreaks. More or less trusted systems (over which you might have better control of configs, patches, anti-virus, user behavior) belong segregated from students. Especially if those systems are used to connect to high-value apps. Use NAC to determine trusted from untrusted workstations on unsecured jacks (meeting rooms, classrooms, etc.) Your server environment could probably use at least three layers as well. Hang internet-accessible servers off one firewall leg, hang general purpose academic servers off another, and finally segregate high-value servers (student records, financials, accounting, etc.) from all of them. The inverted rules might make sense in your environment, but only for connections outbound to the internet. Sure it's higher risk, but I think students expect the campus network to be generally wide open internet access. A transparent HTTP proxy running anti-virus might be useful. Connections from any user segment to any other, and inbound to any server segment should be carefully restricted. Yes MS apps can be a pain, but really only where they use RPC -- that is, within a single AD domain. Dividing MS servers into domains that more or less match firewall segregations makes things easier. Best of luck, - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
-----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of jason () tacorp com Sent: Wednesday, February 20, 2008 6:37 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Firewall Placement Question I would like to hear some thoughts on the placement of a firewall. My intent isn't to start a flame but to debate the usefulness of two technologies inside the network firewall vs. IPS's. The network which I manage is a university network that hasn't been looked after very well with regards to security and access control. Right now there is a head end firewall that's 'inverted' as we say - that is we allow everything and just block a few things. Between buildings we block a few ports on the l3 switches to 'contain outbreaks'. There are three major problems which we are trying to address separetely. 1. The Residence Halls are on the inside of the network. They are coming off this summer. 2. Wireless users are on the inside of the network. We are building a 'guest wireless' system that will be live this summer as well. 3. There are open network jacks all around campus and no kind of NAC in place. This isn't being addressed yet. Also being a university we have a hard time trusting our users and enforcing anti-virus installations and patching. Recently there has been a push to install a transparent firewall in front of the server farm. This is being done using a context on our firewall services module that protects (be it poorly) the border at the internet. However both the server network and internet border are being scanned by an IPS. The question is: given that we are working to take historically abusive users off the network, is it really worth the time to install a firewall in front of the servers or just use the IPS? I wonder about the labor required to pull this off for almost 200 servers (and Microsoft applications are a bitch). I fear it will be hell to manage all the excpetions, ie. one user in a different building needs access to a few administrative ports. Not to mention that after it's done we'll spend days trying to work out the bugs of things that 'should just work' and effects of application upgrades that change ports. Lastly, is anyone doing any kind of filtering inside the network or is only done at the border? Thoughts? Regards, Jason Mishka _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: syslog and network management, (continued)
- Re: syslog and network management Brian Loe (Feb 25)
- Re: syslog and network management david (Feb 27)
- Re: syslog and network management ArkanoiD (Feb 29)
- Re: syslog and network management Timothy Shea (Feb 29)
- Re: syslog and network management Alejandro Ezequiel Fernández Preda (Feb 21)
- Re: syslog and network management Dave Piscitello (Feb 22)
- Re: syslog and network management Brian Loe (Feb 22)
- Re: syslog and network management Brian Loe (Feb 22)
- Re: Firewall Placement Question Aniket S. Amdekar (Feb 22)
- Re: Firewall Placement Question Dan Lynch (Feb 22)
- Re: Firewall Placement Question firewallwizards (Feb 22)
- Re: Firewall Placement Question J. Oquendo (Feb 22)
- Re: Firewall Placement Question Marcus J. Ranum (Feb 22)