Firewall Wizards mailing list archives
Re: Protecting a datacentre with a firewall
From: Jeffery.Gieser () minnesotamutual com
Date: Fri, 2 May 2003 16:29:06 -0500
Lazlo, To answer your question about whether companies are doing this I think most companies are doing this already. Any enterprise level firewall be it a Cisco PIX, Checkpoint Firewall-1, Secure Computing Sidewinder, etcetera should be able to handle this as long as you size the hardware and number of firewalls appropriately. Run a network sniffer to get a good idea of what kind of traffic you are going to have to allow and develope a policy for your PIX that covers that traffic. I suspect that no matter how well you plan this when you switch over to firewalling your WAN you will have some stuff that does not work. You should be able to use a network sniffer to determine what traffic is not working and create rules for that traffic. I have done similar projects and it ends up being a lot of documentation. Regards, Jeffery Gieser LazloCarreidas () netscape net (Lazló Carreidas)) To: firewall-wizards () honor icsalabs com Sent by: cc: firewall-wizards-admin@honor.i Subject: [fw-wiz] Protecting a datacentre with a firewall csalabs.com 05/02/2003 03:07 PM Hi Wizards I am working for a multinational company. Our IT management is worried that somebody could abuse our WAN infrastructure, and use it to attack our servers in the Headquarters (we have centralised here core business systems, and so they are used from everywhere in the world). Therefore, they have asked us (the security unit) to study and plan the installation of a firewall (most certainly a Cisco PIX) cluster (for failover) that would "isolate" the datacentre (about 150 servers running different flavours of Windows, NetWare, UNIX and OS/400) from the rest of the network infrastructure. I already know that it would be quite difficult. For example, we would need to get rid of all legacy protocols other than IP (IPX, SNA and NetBIOS for sure), have to document every address and port needed to be accessed by the users, etc... The main concern of our colleagues in the network unit is that we would need to span all the traffic to one (or maybe a bit more) interface on the firewall, which would maybe overload the core switch. There would also be latency issues, etc... Our main concern is of course the management of this firewall, due to the huge number of systems involved. We would like to know your opinion on this subject, if somebody did that already, it there would be better ways (ACLs and routers and switches, for example), if choosing a PIX is a good idea (performance, for example) and even if it is feasible... Thank you for your input Lazló __________________________________________________________________ Try AOL and get 1045 hours FREE for 45 days! http://free.aol.com/tryaolfree/index.adp?375380 Get AOL Instant Messenger 5.1 for FREE! Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 04)
- Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 03)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
- Re: Protecting a datacentre with a firewall Bill Royds (May 03)