RE: Host based vs network firewall in datacenter

["Rik Schneider" <riks () wni com>]

From: Zurek, Patrick - Tuesday, June 07, 2005 12:34 PM
To: firewall-wizards () honor icsalabs com


> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services
to > a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???

You forgot to mention:
4) Do both 2 and 3 above.
3 alone is like an M&M - hard and crunchy on the outside, soft and tasty
on the inside.  If you can only do one or the other #2 is where I would
start.  Remember that the hosts likely have no need to
ftp/telnet/ssh/http/snmp/etc to/from each other. 

> 1) Does not seem feasible to continue to operate this way.

I agree.  

> 2) As a short term measure I have applied ipfilter on several of our
non
> production hosts.  My manager has began to advocate putting it on all
> production systems now (about 15 hosts).  At first I thought this
would be
> a bad idea, as a network firewall would ease administration and having
to > administer separate rule sets for each server would be unwieldy.
However, > after reading the opinions of certain members of the list,
I'm at a loss 
> as to how to proceed.  I don't want to purchase something like:
>
> "- Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
>         properly
> - There is no correlation between cost and effectiveness
>         of security products"
>
> as MJR said last week.  I'm interested in using the right tool for the

> job.  Is ipf on a production Sun 15k a good idea?

IPF works well but depending on your support requirements you may need
to look at a commercial solution.  If you are using Solaris 8 or 9 and
are under sun support you may want to look at Sunscreen Lite but I still
prefer ipfilter. 

> 3) This option is good because it will allow us to apply stateless
ACLs at > the gateway and centralize the management of firewall
functions.

There are many solutions for this, some as simple as putting a BSD (or
Linux or ...) box up as a bridge and again using IPF for packet
filtering to buying one of the many appliances.  Bear in mind that the
stance should be to deny everything by default and then turn on only
what is truly needed.  

> Bearing in mind that I'm still relatively new to this, and that I'm
having > trouble bridging the gap between the way security should be
done, and 
> actually implementing it, I'd appreciate any advice and help.

Start by playing with whatever non-production equipment you can.  Don't
just look at normal operations but failure modes as well.  I know of at
least one AV solution, for email, that will pass all messages if the
quarantine area gets full.

As MJR has pointed out the best firewall is no network connection.
Think about what you want to accomplish with the network connection and
then configure appropriately.  

> Thanks for reading,

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards