Firewall Wizards mailing list archives
Re: Protecting a datacentre with a firewall
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 04 May 2003 02:03:00 +0200
mag wrote:
I found it always funny that enterprises with global intranets how bad at recognizing that their intranet is not much better defended than the internet itself...
All too true.
A not-so-bad solution is to group server resources of application systems
Proper segmentation is definitely a good idea.
Also, PIXen are not just too suboptimal to be called firewalls, but also for intranet firewalling you need a level of flexibility you cannot achieve with a blackbox-style product, and with the so-called market leader firewalls.
You're raising a big stink here. Especially when you continue by touting a firewall that you contribute to yourself. People are running various types of "blackbox non-firewalls" in all kinds of scenarios, including hosting centers and other large-scale facilities quite successfully.
You need a flexible operating system base, presumably some unix flavour, and a flexible, highly configureable firewall on top of it. LazloCarreidas () netscape net (Lazló Carreidas) wrote:[...] the datacentre (about 150 servers running different flavours of Windows, NetWare, UNIX and OS/400) [...]So prepare for a big work. We are doing it for five years, and have at least another five years ahead. And we are not even multinational.
"a big work"? Please tell me you're joking. I don't think you fully realize the scale of what you are suggesting. You're mentioning "flexible OS base". This would suggest that they spend some unquantified amount of time tweaking it. You are also suggesting that they run application layer gateways for 150 servers. I'm thinking that one single ALG box isn't enough for a single choke point to a 150-server segment. You likely need more. Then we move on to segmentation. How many boxes can one reasonably assume that they have the time to care for and feed, not to mention tinker with and customize? Those "blackbox-style products" that you so rapidly dismiss as useless will in many cases prove more valuable than any kind of home-grown solution. When something is too costly to maintain - in terms of money or time (often the latter) - to maintain, it doesn't get done. It's that simple. We all know that installing and configuring MAC based stuff on a server raises the bar considerably. Hands up now: how many have actually had the time? And if you did actually find the time, are you sure you shouldn't have been spending the time required to correctly configure and maintain that _one_ server doing something else? Perhaps _several_ network/organization-wide countermeasures that, when taken together, would have done a lot more for your total exposure? Here's a free clue: internal networking is quite a bit more than ssh and http. I don't even want to try to _guess_ the number of protocols in use in a network of this size. I could take a wild stab at the number of _standard_ protocols in use, perhaps, but the _legacy_ ones ...? Is your advice also that they write their own application layer gateways for all these protocols? And continually reverse engineer changes to these legacy/proprietary protocols? You _don't_ get to say "but Zorp can do plug proxies/stateful firewalling too!", because then you've invalidated your whole reasoning. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 04)
- Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 03)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
- Re: Protecting a datacentre with a firewall Bill Royds (May 03)