Firewall Wizards mailing list archives

Re: Firewall Placement Question

From: "Dan Lynch" <DLynch () placer ca gov>
Date: Thu, 21 Feb 2008 15:19:04 -0800

If it were mine, I'd segment the h*ll out of the networks with stateful
firewalls, and find a NAC solution stat. 

Divide your user community into at least two layers and segregate. All
students, dorms, unsecured jacks, wireless networks, etc. belong
together. Protecting one from another with IPS seems appropriate to
contain outbreaks. More or less trusted systems (over which you might
have better control of configs, patches, anti-virus, user behavior)
belong segregated from students. Especially if those systems are used to
connect to high-value apps. Use NAC to determine trusted from untrusted
workstations on unsecured jacks (meeting rooms, classrooms, etc.)

Your server environment could probably use at least three layers as
well. Hang internet-accessible servers off one firewall leg, hang
general purpose academic servers off another, and finally segregate
high-value servers (student records, financials, accounting, etc.) from
all of them. 

The inverted rules might make sense in your environment, but only for
connections outbound to the internet. Sure it's higher risk, but I think
students expect the campus network to be generally wide open internet
access. A transparent HTTP proxy running anti-virus might be useful. 
Connections from any user segment to any other, and inbound to any
server segment should be carefully restricted.

Yes MS apps can be a pain, but really only where they use RPC -- that
is, within a single AD domain. Dividing MS servers into domains that
more or less match firewall segregations makes things easier. 

Best of luck,

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com 
[mailto:firewall-wizards-bounces () listserv icsalabs com] On 
Behalf Of jason () tacorp com
Sent: Wednesday, February 20, 2008 6:37 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Firewall Placement Question

I would like to hear some thoughts on the placement of a 
firewall.  My intent isn't to start a flame but to debate the 
usefulness of two technologies inside the network firewall vs. IPS's.

The network which I manage is a university network that 
hasn't been looked after very well with regards to security 
and access control.  Right now there is a head end firewall 
that's 'inverted' as we say - that is we allow everything and 
just block a few things.

Between buildings we block a few ports on the l3 switches to 
'contain outbreaks'.

There are three major problems which we are trying to address 
separetely.

1.  The Residence Halls are on the inside of the network.  
They are coming off this summer.

2.  Wireless users are on the inside of the network.  We are 
building a 'guest wireless' system that will be live this 
summer as well.

3. There are open network jacks all around campus and no kind 
of NAC in place.  This isn't being addressed yet.

Also being a university we have a hard time trusting our 
users and enforcing anti-virus installations and patching.

Recently there has been a push to install a transparent 
firewall in front of the server farm.  This is being done 
using a context on our firewall services module that protects 
(be it poorly) the border at the internet. 
However both the server network and internet border are being 
scanned by an IPS.

The question is: given that we are working to take 
historically abusive users off the network, is it really 
worth the time to install a firewall in front of the servers 
or just use the IPS?

I wonder about the labor required to pull this off for almost 
200 servers (and Microsoft applications are a bitch).  I fear 
it will be hell to manage all the excpetions, ie. one user in 
a different building needs access to a few administrative 
ports.  Not to mention that after it's done we'll spend days 
trying to work out the bugs of things that 'should just work' 
and effects of application upgrades that change ports.

Lastly, is anyone doing any kind of filtering inside the 
network or is only done at the border?

Thoughts?

Regards,
Jason Mishka
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: syslog and network management, (continued)
- - - Re: syslog and network management Brian Loe (Feb 25)
    - Re: syslog and network management david (Feb 27)
    - Re: syslog and network management ArkanoiD (Feb 29)
    - Re: syslog and network management Timothy Shea (Feb 29)
    - Re: syslog and network management Alejandro Ezequiel Fernández Preda (Feb 21)
    - Re: syslog and network management Dave Piscitello (Feb 22)
    - Re: syslog and network management Brian Loe (Feb 22)
    - Re: syslog and network management Brian Loe (Feb 22)
  - Firewall Placement Question jason (Feb 21)
    - Re: Firewall Placement Question Aniket S. Amdekar (Feb 22)
    - Re: Firewall Placement Question Dan Lynch (Feb 22)
    - Re: Firewall Placement Question firewallwizards (Feb 22)
    - Re: Firewall Placement Question J. Oquendo (Feb 22)
    - Re: Firewall Placement Question Marcus J. Ranum (Feb 22)
    - Re: Firewall Placement Question Richard Golodner (Feb 22)
    - Re: Firewall Placement Question Darden, Patrick S. (Feb 22)
    - Re: Firewall Placement Question Dale W. Carder (Feb 22)