Re: Protecting a datacentre with a firewall

[Mikael Olsson <mikael.olsson () clavister com>]

mag wrote:
> I found it always funny that enterprises with global intranets how
> bad at recognizing that their intranet is not much better defended
> than the internet itself...

All too true. 

> A not-so-bad solution is to group server resources of application
> systems

Proper segmentation is definitely a good idea.


> Also, PIXen are not just too suboptimal to be called firewalls,
> but also for intranet firewalling you need a level of flexibility
> you cannot achieve with a blackbox-style product, and with the
> so-called market leader firewalls. 

You're raising a big stink here. Especially when you continue
by touting a firewall that you contribute to yourself.

People are running various types of "blackbox non-firewalls" in all
kinds of scenarios, including hosting centers and other large-scale
facilities quite successfully.


> You need a flexible operating
> system base, presumably some unix flavour, and a flexible, highly
> configureable firewall on top of it. 
>
> LazloCarreidas () netscape net (Lazló Carreidas) wrote:
> > [...] the datacentre (about 150 servers running different 
> > flavours of Windows, NetWare, UNIX and OS/400) [...]
>
> So prepare for a big work. We are doing it for five years, and have
> at least another five years ahead. And we are not even multinational.

"a big work"?  Please tell me you're joking.

I don't think you fully realize the scale of what you are suggesting.
You're mentioning "flexible OS base". This would suggest that they
spend some unquantified amount of time tweaking it. You are also 
suggesting that they run application layer gateways for 150 servers.

I'm thinking that one single ALG box isn't enough for a single choke
point to a 150-server segment. You likely need more. Then we move on 
to segmentation. How many boxes can one reasonably assume that they 
have the time to care for and feed, not to mention tinker with and 
customize?


Those "blackbox-style products" that you so rapidly dismiss as
useless will in many cases prove more valuable than any kind of 
home-grown solution.  When something is too costly to maintain - 
in terms of money or time (often the latter) - to maintain, it 
doesn't get done.  It's that simple.  

We all know that installing and configuring MAC based stuff on a 
server raises the bar considerably.  Hands up now: how many have 
actually had the time?  And if you did actually find the time, are 
you sure you shouldn't have been spending the time required to 
correctly configure and maintain that _one_ server doing something
else?  Perhaps _several_ network/organization-wide countermeasures 
that, when taken together, would have done a lot more for your 
total exposure?


Here's a free clue: internal networking is quite a bit more than ssh 
and http. I don't even want to try to _guess_ the number of protocols 
in use in a network of this size. I could take a wild stab at the 
number of _standard_ protocols in use, perhaps, but the _legacy_
ones ...?  Is your advice also that they write their own application 
layer gateways for all these protocols?  And continually reverse 
engineer changes to these legacy/proprietary protocols?   

You _don't_ get to say "but Zorp can do plug proxies/stateful 
firewalling too!", because then you've invalidated your whole 
reasoning.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards