Firewall Wizards mailing list archives
Re: Firewall Placement Question
From: "Richard Golodner" <rgolodner () infratection com>
Date: Thu, 21 Feb 2008 17:43:17 -0600
Jason, working out the bugs has always been part of the trip. There is always going to be something that does not work and it may take a campus full of people for the IT staff to hear about some of the things. I think there are smarter people on this list who could answer the firewall placement question than I can, but here is what I think. I would do something about the open network jacks and determine where in the switching fabric they reside and then put some kind of security on them. Layer 2 or MAC address filtering, or Layer 3 ACLs on the switch to keep some semblance of order. Would it be possible to build a large network, sub netted for the residence halls where you can give permission to those individuals who need special access? I am just thinking off the top of my head here, but I would definitely address those jacks as someone could come in and possibly ruin your network without ever leaving much of a trail especially if they are spitting out DHCP addresses. Just some food for thought, best of luck and success to you and your team. most sincerely, Richard Golodner -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of jason () tacorp com Sent: Wednesday, February 20, 2008 8:37 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Firewall Placement Question I would like to hear some thoughts on the placement of a firewall. My intent isn't to start a flame but to debate the usefulness of two technologies inside the network firewall vs. IPS's. The network which I manage is a university network that hasn't been looked after very well with regards to security and access control. Right now there is a head end firewall that's 'inverted' as we say - that is we allow everything and just block a few things. Between buildings we block a few ports on the l3 switches to 'contain outbreaks'. There are three major problems which we are trying to address separetely. 1. The Residence Halls are on the inside of the network. They are coming off this summer. 2. Wireless users are on the inside of the network. We are building a 'guest wireless' system that will be live this summer as well. 3. There are open network jacks all around campus and no kind of NAC in place. This isn't being addressed yet. Also being a university we have a hard time trusting our users and enforcing anti-virus installations and patching. Recently there has been a push to install a transparent firewall in front of the server farm. This is being done using a context on our firewall services module that protects (be it poorly) the border at the internet. However both the server network and internet border are being scanned by an IPS. The question is: given that we are working to take historically abusive users off the network, is it really worth the time to install a firewall in front of the servers or just use the IPS? I wonder about the labor required to pull this off for almost 200 servers (and Microsoft applications are a bitch). I fear it will be hell to manage all the excpetions, ie. one user in a different building needs access to a few administrative ports. Not to mention that after it's done we'll spend days trying to work out the bugs of things that 'should just work' and effects of application upgrades that change ports. Lastly, is anyone doing any kind of filtering inside the network or is only done at the border? Thoughts? Regards, Jason Mishka _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: syslog and network management, (continued)
- Re: syslog and network management Alejandro Ezequiel Fernández Preda (Feb 21)
- Re: syslog and network management Dave Piscitello (Feb 22)
- Re: syslog and network management Brian Loe (Feb 22)
- Re: syslog and network management Brian Loe (Feb 22)
- Firewall Placement Question jason (Feb 21)
- Re: Firewall Placement Question Aniket S. Amdekar (Feb 22)
- Re: Firewall Placement Question Dan Lynch (Feb 22)
- Re: Firewall Placement Question firewallwizards (Feb 22)
- Re: Firewall Placement Question J. Oquendo (Feb 22)
- Re: Firewall Placement Question Marcus J. Ranum (Feb 22)
- Re: Firewall Placement Question Richard Golodner (Feb 22)
- Re: Firewall Placement Question Darden, Patrick S. (Feb 22)
- Re: Firewall Placement Question Dale W. Carder (Feb 22)