Re: Host based vs network firewall in datacenter

[sin <sin () pvs ro>]

Alin-Adrian Anton wrote:

> No matter what kind of network you have, you need at least one firewall
> at the border with the Internet.
>
> Having a datacenter without a fast firewall at the border, is simply
> insane.

in fast firewall i presume you mean basic ACLs to filter much of the
junk traffic, no ?


> The machine at the border can be some expensive hardware, like a cisco,
> or can be a powerful BSD-based packet filter, sitting on powerful
> hardware (the best you can get, Intel based).

It can also be run on commodity hardware; expensive hardware it's not
always gonna give you uber performance over cheaper hardware.


> If you chose cisco-like solution, chose an expensive one. You defenately
> need it (because expensive ones can handle smarter ACLs and keep state
> much better, and also can resist to DDoS over 100 Mbps. Cheap ones may
> die).

every router dies because of DDOS if some part of that traffic is not
filtered upstream, and by dieing i mean that you have a big chance
running out of bandwidth before you run out of vip cpu power.


> If you chose BSD solution use ipfw (fastest), or pf (best in terms of
> what it can do). Pf on FreeBSD with Intel "FXP" cards is able to use the
> hardware chip for checking CRC of the packets. This feature is only
> available on FreeBSD, and as far as I know nobody ported it to other OS.
> Having hardware to check for checksums greatly improves performance,
> even over ipfw.

Intel's Linux drivers also offer the same facility.


> I would not chose a linux based solution for firewalling high loads of
> evil traffic.

can you also give some arguments why not ?


> Even better, if you can afford it, you can have both: the cisco and the
> BSD, cisco sitting maybe in front of the BSD. This way you also keep a
> simple and good control of what goes in and what goes out, and you can
> cut down packets which the hardware firewall missed (it happens).

firewalls just don't miss packets. they allow them to pass based on
certain rules. maybe some software bugs can cause some unwanted packets
to pass on certain situations.


> In case of a serious DDoS problem, you can even enable statefull ACL
> version (keep it somewhere) on the BSD box, to really cut down whatever
> the hardware firewall skips into the internal network.

i believe you might want to do exactly the opposite, disabling any
statefull ACLs on the router (you know, a 7500 cisco router can get
pretty busy processing a high rate of small packets without any ACLs
defined on a particular interface). adding statefull ACL's can have
negative impact on the router performance in case of DoS/DDoS attack.


> On the inside land, it may be a very good idea to use any kind of
> firewall you want on each machine, in order to limit access to SNMP (if
> you are going to monitor them via SNMP), and so on. You should use a
> different switch for the monitoring connection, such that an internal
> server cannot impersonate you in any way (arp, ISN prediction, etc).

It can get quite expensive doing out of band management on a fairly big
network, and also somewhat complex.


> Limit all services to what they really need to accept, and nothing else.
> If they are not going to use the LAN, always bind them on the local
> interface.
>
> Each host inside the lan should not trust anyone from the LAN, so
> writing down what is strictly needed for each of them is a good thing.
> Implementing it is the next step, I just pointed some ideas.

it will have to trust another host by some degree...
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards