Firewall Wizards mailing list archives
Re: Host based vs network firewall in datacenter
From: Victor Williams <vbwilliams () neb rr com>
Date: Fri, 10 Jun 2005 10:53:33 -0500
My opinion is that anything you can do is better than nothing.I often come across people who KNOW what's wrong with their implementations, and they bury their head in the sand regarding it. I am glad to see you are not one of those people.
I think one thing you are asking is how, regarding the network, do I make this implementation better. I think you are on the right track. However, as someone concerned about security, I don't think you should limit yourself to that line of thinking. There are best-practices you should adhere to when putting together a system like this. I might pose the question of how difficult would it be to separate the application layer from the data layer in your environment, and what would you gain from doing so? I think app and data residing on the same machine is generally a bad idea...not from just a data security standpoint, but if I lose my application server for whatever reason (lightning), guess what? My data is fried as well. It is always better in my opinion (not necessarily from *security to keep other people out* point of view) to keep all your eggs in different baskets.
In addition, I for one use firewalls/IDS of some sort on any/all applicable servers. I've also written my own scripts to automate the functionality of them if applicable...so I don't have to keep disparate rulesets on them all.
Also, think accountability. Even if you can't put more *security controls* in place, do you believe you can track down a security breach if it happened? Is there enough applicable logging going on to see who/what caused your breach? Do you have the knowledge to use all this logging to your advantage?
Being originally from the gov't sector myself in the USDA, I often found that we needed to put security controls in place to give us accoutability and to prevent our machines from being used as repositories for unnecessary stuff...*hackers* tried to break in to use our servers as free space areas for whatever...not necessarily stealing our data because it was public domain data (GIS hi-res satellite pictures) anyway. Where I'm going here, is your application of whatever will depend on what you're trying to protect and why. Since moving on to my current job, my application of security controls has changed because the data I'm protecting is different, and the motives for getting it would be completely different.
Before you just decide to turn on a firewall here and there, you need to ask yourself why you're turning it on in the first place (not saying you don't need it), and ask yourself what you're trying to protect. Personally, I would be more worried about the way your application is architected than firewalls at this point.
Zurek, Patrick wrote:
Hi all, I graduated from university not long ago and assumed my first job as network administrator in a small datacenter. I've been lurking here for a while and reading the archives. I've learned a lot from what many of you have had to say, but I'm having difficulty making the jump from the theory behind the way things should be run (ie. the network design maps that show the little switch, router & firewall symbols) and the practical applications of that. I was also reluctant to make this post in fear of getting flamed for having what will come across as a cluess attitude about network security. Instead of flaming, please correct me, I want to learn. I'd like to solicit some advice on a firewall implementation. Our solaris only site has two main components, a web presence which connects to a backend application running on top of Oracle, and a custom application (which unfortunately also runs on the same host as the database) to which our clients connect. So all our servers need to be internet facing including the database. Our servers range from small Sun V100s to a F15k. We do not have a firewall or a NIDS and we do not have administrative control of the router on which to apply stateless ACLs. This was the situation when I arrived. Fortunately, our hosts are properly configured and reasonably hardened by a competent system adminstrator. Just recently I've had some luck with management in getting a span port enabled on the switch - in a month or so I hope to have up a BSD monitoring platform running snort/sguil off a dedicated tap. These are the options as I see them: 1) Wide open - keep the hosts locked down tight and keep open services to a minimum. 2) Host based firewall - put ipf on the hosts 3) Network firewall behind the router - ??? 1) Does not seem feasible to continue to operate this way. 2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a network firewall would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed. I don't want to purchase something like: "- Some of the products we're buying simply don't work - Some of the products we're buying aren't being used properly - There is no correlation between cost and effectiveness of security products" as MJR said last week. I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea? 3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of firewall functions. Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way security should be done, and actually implementing it, I'd appreciate any advice and help. Thanks for reading, Pat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Transitive Trust: 40 million credit cards hack'd, (continued)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd David Lang (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Host based vs network firewall in datacenter sin (Jun 30)
- Re: Host based vs network firewall in datacenter Kevin (Jun 16)