Security Basics mailing list archives
Re: Distributed Firewall
From: Joerg Over <over () dexia de>
Date: Wed, 23 Apr 2003 20:00:55 +0200
Am 15:12 23.04.2003 +0100 teilte Kendric mir folgendes mit: ->Hi, just wondering if any of you guys heard of this concept of distributed ->firewall? I have done some research on it and found it to be quite a ->wonderful concept into bringing the firewall platform to each client/server ->end with a central management policy. In other words, it is like having a ->personal firewall on each individual machine, but centrally managed by a ->remote management console. In this way, we will not have to put any trust ->even on the machines on the intranet. Any comments? I just evaluated NICs with embedded firewall for our company, with which a hardware based distributed fw can be made/managed. It so very much depending on the environment you're deploying them that it's hard to generally tell what use those are, but some things should be considered: As for sniffing prevention/egress filtering: IMHO on that topic they're almost useless. You can always get around them by just plugging in another NIC (if you have admin rights on the station) or just plug the cable into a laptop you bring in, and egress filtering and sniffing prevention are gone. Similar is valid for software pfws. To enforce egress filtering even in that setting, you could use routers and switches with a tight policy on mac adresses and/or vlans, but then again that can be circumvented (setting the ip/mac on the adapter, other ways of circumventing vlans, arp spoofing et al), and if it couldn't, that strict environment alone would be sufficient; no need for the nics then. As for ingress filtering: In this situation a distributed fw can be very powerful. Insofar as ingress filtering mainly protects the filtered station it's valuable, but not what you intended. In summary I'd believe that if you don't trust your intranet, don't trust it. Meaning: protect your servers (or, generally, valuable systems under your control) and watch for intrusions. I wouldn't know a way to force that trust into an intranet in a way that the (imo rather minor) improvement on the security end isn't outweighed by the administrative overhead. This, of course, IMHO and YMMV, and one can easily imagine a surrounding where every bit of improved security counts enough to warrant the work, or where more physical security enforces the use of the firewall on the station end. hth, jo --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: Distributed Firewall, (continued)
- RE: Distributed Firewall David Gillett (Apr 24)
- Re: Distributed Firewall Kendric (Apr 24)
- Re: Distributed Firewall Hannes Tschofenig (Apr 24)
- RE: Distributed Firewall A Packard (Bugtraq) (Apr 24)
- RE: Distributed Firewall Ken Kousky (Apr 25)
- Re: Distributed Firewall Shadow (Apr 24)
- Re: Distributed Firewall Kendric (Apr 24)
- RE: Distributed Firewall Jared Valentine (Apr 25)
- RE: Distributed Firewall Conor F. Sibley (Apr 24)
- Re: Distributed Firewall Marcelo Olguin (Apr 24)
- Re: Distributed Firewall Joerg Over (Apr 24)
- Re: Distributed Firewall Hannes Tschofenig (Apr 24)
- RE: Distributed Firewall Chris Peden (Apr 25)
- RE: Distributed Firewall JAVIER OTERO (Apr 28)
- RE: Distributed Firewall Seth Knox (Apr 28)
- RE: Distributed Firewall David Gillett (Apr 24)