Re: Firewall Placement Question

["Richard Golodner" <rgolodner () infratection com>]

        Jason, working out the bugs has always been part of the trip. There
is always going to be something that does not work and it may take a campus
full of people for the IT staff to hear about some of the things. 
        I think there are smarter people on this list who could answer the
firewall placement question than I can, but here is what I think.
        I would do something about the open network jacks and determine
where in the switching fabric they reside and then put some kind of security
on them. Layer 2 or MAC address filtering, or Layer 3 ACLs on the switch to
keep some semblance of order.
        Would it be possible to build a large network, sub netted for the
residence halls where you can give permission to those individuals who need
special access? I am just thinking off the top of my head here, but I would
definitely address those jacks as someone could come in and possibly ruin
your network without ever leaving much of a trail especially if they are
spitting out DHCP addresses.
        Just some food for thought, best of luck and success to you and your
team.

      most sincerely, Richard Golodner
      
-----Original Message-----
From: firewall-wizards-bounces () listserv cybertrust com
[mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of
jason () tacorp com
Sent: Wednesday, February 20, 2008 8:37 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Firewall Placement Question

I would like to hear some thoughts on the placement of a firewall.  My 
intent isn't to start a flame but to debate the usefulness of two 
technologies inside the network firewall vs. IPS's.

The network which I manage is a university network that hasn't been looked 
after very well with regards to security and access control.  Right now 
there is a head end firewall that's 'inverted' as we say - that is we 
allow everything and just block a few things.

Between buildings we block a few ports on the l3 switches to 'contain 
outbreaks'.

There are three major problems which we are trying to address separetely.

1.  The Residence Halls are on the inside of the network.  They are coming 
off this summer.

2.  Wireless users are on the inside of the network.  We are building a 
'guest wireless' system that will be live this summer as well.

3. There are open network jacks all around campus and no kind of NAC in 
place.  This isn't being addressed yet.

Also being a university we have a hard time trusting our users and 
enforcing anti-virus installations and patching.

Recently there has been a push to install a transparent firewall in front 
of the server farm.  This is being done using a context on our firewall 
services module that protects (be it poorly) the border at the internet. 
However both the server network and internet border are being scanned by 
an IPS.

The question is: given that we are working to take historically abusive 
users off the network, is it really worth the time to install a firewall 
in front of the servers or just use the IPS?

I wonder about the labor required to pull this off for almost 200 servers 
(and Microsoft applications are a bitch).  I fear it will be hell to 
manage all the excpetions, ie. one user in a different building needs 
access to a few administrative ports.  Not to mention that after it's done 
we'll spend days trying to work out the bugs of things that 'should just 
work' and effects of application upgrades that change ports.

Lastly, is anyone doing any kind of filtering inside the network or is 
only done at the border?

Thoughts?

Regards,
Jason Mishka
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards