Firewall Wizards mailing list archives

Re: Protecting a datacentre with a firewall

From: "Bill Royds" <Bill () royds net>
Date: Sat, 3 May 2003 14:04:57 -0400

One question I would have is to ask whether it would not be better to
partition the datacenter into sub-segments according to usage and protect
each of these by a separate firewall. In this way, you could have a ruleset
on each firewall that was more closely tuned to the traffic on each
sub-segment. It increases the number of rule sets to maintain, but each of
them is much simpler and one could more easily run log analysis/IDS to find
problems with traffic.

So one subsegment might be for Windows servers that would be able to block
Unix RPC etc. from passing through the firewall, another for Unix servers
that would block any SMB traffic etc.


----- Original Message ----- 
From: <Jeffery.Gieser () minnesotamutual com>
To: "Lazló Carreidas" <LazloCarreidas () netscape net>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Friday, May 02, 2003 5:29 PM
Subject: Re: [fw-wiz] Protecting a datacentre with a firewall



Lazlo,

      To answer your question about whether companies are doing this I
think most companies are doing this already.  Any enterprise level firewall
be it a Cisco PIX, Checkpoint Firewall-1, Secure Computing Sidewinder,
etcetera should be able to handle this as long as you size the hardware and
number of firewalls appropriately.  Run a network sniffer to get a good
idea of what kind of traffic you are going to have to allow and develope a
policy for your PIX that covers that traffic.  I suspect that no matter how
well you plan this when you switch over to firewalling your WAN you will
have some stuff that does not work.  You should be able to use a network
sniffer to determine what traffic is not working  and create rules for that
traffic.  I have done similar projects and it ends up being a lot of
documentation.

Regards,
Jeffery Gieser






                      LazloCarreidas () netscape net

                      (Lazló Carreidas))                    To:
firewall-wizards () honor icsalabs com
                      Sent by:                              cc:
                      firewall-wizards-admin@honor.i        Subject:
[fw-wiz] Protecting a datacentre with a firewall
                      csalabs.com


                      05/02/2003 03:07 PM






Hi Wizards

I am working for a multinational company. Our IT management is worried that
somebody could abuse our WAN infrastructure, and use it to attack our
servers in the Headquarters (we have centralised here core business
systems, and so they are used from everywhere in the world).

Therefore, they have asked us (the security unit) to study and plan the
installation of a firewall (most certainly a Cisco PIX) cluster (for
failover) that would "isolate" the datacentre (about 150 servers running
different flavours of Windows, NetWare, UNIX and OS/400) from the rest of
the network infrastructure.

I already know that it would be quite difficult. For example, we would need
to get rid of all legacy protocols other than IP (IPX, SNA and NetBIOS for
sure), have to document every address and port needed to be accessed by the
users, etc...

The main concern of our colleagues in the network unit is that we would
need to span all the traffic to one (or maybe a bit more) interface on the
firewall, which would maybe overload the core switch. There would also be
latency issues, etc...
Our main concern is of course the management of this firewall, due to the
huge number of systems involved.

We would like to know your opinion on this subject, if somebody did that
already, it there would be better ways (ACLs and routers and switches, for
example), if choosing a PIX is a good idea (performance, for example) and
even if it is feasible...

Thank you for your input

  Lazló


__________________________________________________________________
Try AOL and get 1045 hours FREE for 45 days!
http://free.aol.com/tryaolfree/index.adp?375380

Get AOL Instant Messenger 5.1 for FREE! Download Now!
http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards






_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
  - Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
    - Re: Protecting a datacentre with a firewall mag (May 04)
    - Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
    - Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
  - Re: Protecting a datacentre with a firewall Bill Royds (May 03)