Firewall Wizards mailing list archives
Re: Host based vs network firewall in datacenter
From: sin <sin () pvs ro>
Date: Fri, 24 Jun 2005 00:27:58 +0300
Alin-Adrian Anton wrote:
No matter what kind of network you have, you need at least one firewall at the border with the Internet. Having a datacenter without a fast firewall at the border, is simply insane.
in fast firewall i presume you mean basic ACLs to filter much of the junk traffic, no ?
The machine at the border can be some expensive hardware, like a cisco, or can be a powerful BSD-based packet filter, sitting on powerful hardware (the best you can get, Intel based).
It can also be run on commodity hardware; expensive hardware it's not always gonna give you uber performance over cheaper hardware.
If you chose cisco-like solution, chose an expensive one. You defenately need it (because expensive ones can handle smarter ACLs and keep state much better, and also can resist to DDoS over 100 Mbps. Cheap ones may die).
every router dies because of DDOS if some part of that traffic is not filtered upstream, and by dieing i mean that you have a big chance running out of bandwidth before you run out of vip cpu power.
If you chose BSD solution use ipfw (fastest), or pf (best in terms of what it can do). Pf on FreeBSD with Intel "FXP" cards is able to use the hardware chip for checking CRC of the packets. This feature is only available on FreeBSD, and as far as I know nobody ported it to other OS. Having hardware to check for checksums greatly improves performance, even over ipfw.
Intel's Linux drivers also offer the same facility.
I would not chose a linux based solution for firewalling high loads of evil traffic.
can you also give some arguments why not ?
Even better, if you can afford it, you can have both: the cisco and the BSD, cisco sitting maybe in front of the BSD. This way you also keep a simple and good control of what goes in and what goes out, and you can cut down packets which the hardware firewall missed (it happens).
firewalls just don't miss packets. they allow them to pass based on certain rules. maybe some software bugs can cause some unwanted packets to pass on certain situations.
In case of a serious DDoS problem, you can even enable statefull ACL version (keep it somewhere) on the BSD box, to really cut down whatever the hardware firewall skips into the internal network.
i believe you might want to do exactly the opposite, disabling any statefull ACLs on the router (you know, a 7500 cisco router can get pretty busy processing a high rate of small packets without any ACLs defined on a particular interface). adding statefull ACL's can have negative impact on the router performance in case of DoS/DDoS attack.
On the inside land, it may be a very good idea to use any kind of firewall you want on each machine, in order to limit access to SNMP (if you are going to monitor them via SNMP), and so on. You should use a different switch for the monitoring connection, such that an internal server cannot impersonate you in any way (arp, ISN prediction, etc).
It can get quite expensive doing out of band management on a fairly big network, and also somewhat complex.
Limit all services to what they really need to accept, and nothing else. If they are not going to use the LAN, always bind them on the local interface. Each host inside the lan should not trust anyone from the LAN, so writing down what is strictly needed for each of them is a good thing. Implementing it is the next step, I just pointed some ideas.
it will have to trust another host by some degree... _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Transitive Trust: 40 million credit cards hack'd, (continued)
- RE: Transitive Trust: 40 million credit cards hack'd Brian Loe (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd David Lang (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Host based vs network firewall in datacenter sin (Jun 30)
- Re: Host based vs network firewall in datacenter Kevin (Jun 16)