Firewall Wizards mailing list archives
Re: Protecting a datacentre with a firewall
From: "Bill Royds" <Bill () royds net>
Date: Sat, 3 May 2003 14:04:57 -0400
One question I would have is to ask whether it would not be better to partition the datacenter into sub-segments according to usage and protect each of these by a separate firewall. In this way, you could have a ruleset on each firewall that was more closely tuned to the traffic on each sub-segment. It increases the number of rule sets to maintain, but each of them is much simpler and one could more easily run log analysis/IDS to find problems with traffic. So one subsegment might be for Windows servers that would be able to block Unix RPC etc. from passing through the firewall, another for Unix servers that would block any SMB traffic etc. ----- Original Message ----- From: <Jeffery.Gieser () minnesotamutual com> To: "Lazló Carreidas" <LazloCarreidas () netscape net> Cc: <firewall-wizards () honor icsalabs com> Sent: Friday, May 02, 2003 5:29 PM Subject: Re: [fw-wiz] Protecting a datacentre with a firewall Lazlo, To answer your question about whether companies are doing this I think most companies are doing this already. Any enterprise level firewall be it a Cisco PIX, Checkpoint Firewall-1, Secure Computing Sidewinder, etcetera should be able to handle this as long as you size the hardware and number of firewalls appropriately. Run a network sniffer to get a good idea of what kind of traffic you are going to have to allow and develope a policy for your PIX that covers that traffic. I suspect that no matter how well you plan this when you switch over to firewalling your WAN you will have some stuff that does not work. You should be able to use a network sniffer to determine what traffic is not working and create rules for that traffic. I have done similar projects and it ends up being a lot of documentation. Regards, Jeffery Gieser LazloCarreidas () netscape net (Lazló Carreidas)) To: firewall-wizards () honor icsalabs com Sent by: cc: firewall-wizards-admin@honor.i Subject: [fw-wiz] Protecting a datacentre with a firewall csalabs.com 05/02/2003 03:07 PM Hi Wizards I am working for a multinational company. Our IT management is worried that somebody could abuse our WAN infrastructure, and use it to attack our servers in the Headquarters (we have centralised here core business systems, and so they are used from everywhere in the world). Therefore, they have asked us (the security unit) to study and plan the installation of a firewall (most certainly a Cisco PIX) cluster (for failover) that would "isolate" the datacentre (about 150 servers running different flavours of Windows, NetWare, UNIX and OS/400) from the rest of the network infrastructure. I already know that it would be quite difficult. For example, we would need to get rid of all legacy protocols other than IP (IPX, SNA and NetBIOS for sure), have to document every address and port needed to be accessed by the users, etc... The main concern of our colleagues in the network unit is that we would need to span all the traffic to one (or maybe a bit more) interface on the firewall, which would maybe overload the core switch. There would also be latency issues, etc... Our main concern is of course the management of this firewall, due to the huge number of systems involved. We would like to know your opinion on this subject, if somebody did that already, it there would be better ways (ACLs and routers and switches, for example), if choosing a PIX is a good idea (performance, for example) and even if it is feasible... Thank you for your input Lazló __________________________________________________________________ Try AOL and get 1045 hours FREE for 45 days! http://free.aol.com/tryaolfree/index.adp?375380 Get AOL Instant Messenger 5.1 for FREE! Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 04)
- Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 03)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
- Re: Protecting a datacentre with a firewall Bill Royds (May 03)