Re: [OT ish] Router vs Firewall - corporate environment

[Chris Brenton <cbrenton () chrisbrenton org>]

Hey Martin,


On Tue, 2010-02-02 at 13:38 +0000, martin wrote:
> We're in the process of planning to split up our corporate network -
> ie, a subnet for servers, one for users, one for admins etc etc.

<snip>

> Now a debate has started over whether we should use the router to
> split up our network, or whether we should go to the extra expense of
> buying a firewall to do this. 

First off, kudos on deciding to segment out the internal network based
on security zones. This will make it much easier to detect/contain
Malware if a system gets whacked.

>  As I understand it, if I send a request
> from subnet 1 to subnet 2 on port 80, the source port (is over 1024)
> would have to be open for the reply to come back from subnet 2 to
> subnet 1.  However, as firewalls are stateful, they do not require
> this - I would just need to open port 80 to subnet 2.

Sort of. A stateful firewall still needs that return port opened, if
just does it for you automatically. With a static set of rules you will
need to permit all ACK traffic above 1023, all of the time. Stateful
only opens the socket when an outbound request is actually active.

So for example an nmap '-sA' scan will blow right through the router. It
should not be able to get past a good stateful firewall setup.

> Apart from the greater logging capabilities, this is the only reason I
> can come up with to use a firewall.

First off the logging is pretty major. Cisco routers rate limit their
logging so you never actually see all the traffic. Further, they can
generate log irregularities. For example you'll find that all of your
ICMP traffic looks like Echo-Replies unless you define rules for every
single type/code.

>   Does anybody have any additional
> suggestions as to why we should use a firewall ? 

More secure posture, better control of complex apps (FTP, VoIP, etc),
etec. etc. Think of all the reasons why people do not trust routers as
their only line of defense and you'll get the idea.

>  Or likewise, why a firewall might not be necessary.

These days you need to plan on Malware getting past your perimeter and
take steps to mitigate/contain/detect when possible. If you are running
NAC, HIPS or app control, that will take up much of the slack.

As for a specific recommendation, can't say for sure. Don't know what
other security steps you've taken, what business you are in, how much
risk you can live with, etc. etc. Its like trying to figure out when a
puzzle piece goes without having the rest of the puzzle to look at. ;-)

HTH,
Chris
-- 
www.chrisbrenton.org


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------