Re: Host based vs network firewall in datacenter

[Victor Williams <vbwilliams () neb rr com>]

My opinion is that anything you can do is better than nothing.

I often come across people who KNOW what's wrong with their 
implementations, and they bury their head in the sand regarding it.  I 
am glad to see you are not one of those people.

I think one thing you are asking is how, regarding the network, do I 
make this implementation better.  I think you are on the right track. 
However, as someone concerned about security, I don't think you should 
limit yourself to that line of thinking.  There are best-practices you 
should adhere to when putting together a system like this.  I might pose 
the question of how difficult would it be to separate the application 
layer from the data layer in your environment, and what would you gain 
from doing so?  I think app and data residing on the same machine is 
generally a bad idea...not from just a data security standpoint, but if 
I lose my application server for whatever reason (lightning), guess 
what?  My data is fried as well.  It is always better in my opinion (not 
necessarily from *security to keep other people out* point of view) to 
keep all your eggs in different baskets.

In addition, I for one use firewalls/IDS of some sort on any/all 
applicable servers.  I've also written my own scripts to automate the 
functionality of them if applicable...so I don't have to keep disparate 
rulesets on them all.

Also, think accountability.  Even if you can't put more *security 
controls* in place, do you believe you can track down a security breach 
if it happened?  Is there enough applicable logging going on to see 
who/what caused your breach?  Do you have the knowledge to use all this 
logging to your advantage?

Being originally from the gov't sector myself in the USDA, I often found 
that we needed to put security controls in place to give us 
accoutability and to prevent our machines from being used as 
repositories for unnecessary stuff...*hackers* tried to break in to use 
our servers as free space areas for whatever...not necessarily stealing 
our data because it was public domain data (GIS hi-res satellite 
pictures) anyway.  Where I'm going here, is your application of whatever 
will depend on what you're trying to protect and why.  Since moving on 
to my current job, my application of security controls has changed 
because the data I'm protecting is different, and the motives for 
getting it would be completely different.

Before you just decide to turn on a firewall here and there, you need to 
ask yourself why you're turning it on in the first place (not saying you 
don't need it), and ask yourself what you're trying to protect. 
Personally, I would be more worried about the way your application is 
architected than firewalls at this point.

Zurek, Patrick wrote:

> Hi all,
> I graduated from university not long ago and assumed my first job as network administrator in a small datacenter.  I've been lurking 
> here for a while and reading the archives.  I've learned a lot from what many of you have had to say, but I'm having difficulty 
> making the jump from the theory behind the way things should be run (ie. the network design maps that show the little switch, router & 
> firewall symbols) and the practical applications of that.  I was also reluctant to make this post in fear of getting flamed for having 
> what will come across as a cluess attitude about network security.  Instead of flaming, please correct me, I want to learn.
>
> I'd like to solicit some advice on a firewall implementation.  Our solaris only site has two main components, a web presence 
> which connects to a backend application running on top of Oracle, and a custom application (which unfortunately also runs on the 
> same host as the database) to which our clients connect.  So all our servers need to be internet facing including the database.  
> Our servers range from small Sun V100s to a F15k.  We do not have a firewall or a NIDS and we do not have administrative control 
> of the router on which to apply stateless ACLs.  This was the situation when I arrived.  Fortunately, our hosts are properly 
> configured and reasonably hardened by a competent system adminstrator.  Just recently I've had some luck with management in 
> getting a span port enabled on the switch - in a month or so I hope to have up a BSD monitoring platform running snort/sguil off 
> a dedicated tap.
>
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
>
> 1) Does not seem feasible to continue to operate this way.
>
> 2) As a short term measure I have applied ipfilter on several of our non production hosts.  My manager has began to advocate 
> putting it on all production systems now (about 15 hosts).  At first I thought this would be a bad idea, as a network firewall 
> would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading 
> the opinions of certain members of the list, I'm at a loss as to how to proceed.  I don't want to purchase something 
> like:
>
> "- Some of the products we're buying simply don't work
> - Some of the products we're buying aren't being used
>         properly
> - There is no correlation between cost and effectiveness
>         of security products"
>
> as MJR said last week.  I'm interested in using the right tool for the job.  Is ipf on a production Sun 15k a good idea?
>
> 3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of 
> firewall functions.
>
> Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way security 
> should be done, and actually implementing it, I'd appreciate any advice and help.
>
> Thanks for reading,
>
> Pat
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards