Host based vs network firewall in datacenter

["Zurek, Patrick" <pzurek () uillinois edu>]

Hi all,
I graduated from university not long ago and assumed my first job as network administrator in a small datacenter.  I've 
been lurking here for a while and reading the archives.  I've learned a lot from what many of you have had to say, but 
I'm having difficulty making the jump from the theory behind the way things should be run (ie. the network design maps 
that show the little switch, router & firewall symbols) and the practical applications of that.  I was also reluctant 
to make this post in fear of getting flamed for having what will come across as a cluess attitude about network 
security.  Instead of flaming, please correct me, I want to learn.

I'd like to solicit some advice on a firewall implementation.  Our solaris only site has two main components, a web 
presence which connects to a backend application running on top of Oracle, and a custom application (which 
unfortunately also runs on the same host as the database) to which our clients connect.  So all our servers need to be 
internet facing including the database.  Our servers range from small Sun V100s to a F15k.  We do not have a firewall 
or a NIDS and we do not have administrative control of the router on which to apply stateless ACLs.  This was the 
situation when I arrived.  Fortunately, our hosts are properly configured and reasonably hardened by a competent system 
adminstrator.  Just recently I've had some luck with management in getting a span port enabled on the switch - in a 
month or so I hope to have up a BSD monitoring platform running snort/sguil off a dedicated tap.

These are the options as I see them:
1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
2) Host based firewall - put ipf on the hosts
3) Network firewall behind the router - ???

1) Does not seem feasible to continue to operate this way.

2) As a short term measure I have applied ipfilter on several of our non production hosts.  My manager has began to 
advocate putting it on all production systems now (about 15 hosts).  At first I thought this would be a bad idea, as a 
network firewall would ease administration and having to administer seperate rule sets for each server would be 
unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed.  I 
don't want to purchase something like:

"- Some of the products we're buying simply don't work
- Some of the products we're buying aren't being used
        properly
- There is no correlation between cost and effectiveness
        of security products"

as MJR said last week.  I'm interested in using the right tool for the job.  Is ipf on a production Sun 15k a good idea?

3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of 
firewall functions.

Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way 
security should be done, and actually implementing it, I'd appreciate any advice and help.

Thanks for reading,

Pat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards