Re: Host based vs network firewall in datacenter

[Chuck Swiger <chuck () codefab com>]

Zurek, Patrick wrote:
> I graduated from university not long ago and assumed my first job as network
> administrator in a small datacenter. I've been lurking here for a while and
> reading the archives. I've learned a lot from what many of you have had to say,
> but I'm having difficulty making the jump from the theory behind the way things
> should be run (ie. the network design maps that show the little switch, router
> & firewall symbols) and the practical applications of that.

Well, congratulations on your new position.  The best way to move from theory 
to practice is to sent up a small test network or two, and see what "doing it 
for real (almost)" is like.

There are two books that you need to get, read, and then re-read until you've 
gotten their contents down: "TCP/IP Network Administration", and "Building 
Internet Firewalls".

> I was also reluctant to make this post in fear of getting flamed for having
> what will come across as a cluess attitude about network security. Instead
> of flaming, please correct me, I want to learn.

While it's true that this list has some fine arguments, most of them are 
friendly.  :-)

> I'd like to solicit some advice on a firewall implementation. Our solaris
> only site has two main components, a web presence which connects to a backend
> application running on top of Oracle, and a custom application (which
> unfortunately also runs on the same host as the database) to which our clients
> connect. So all our servers need to be internet facing including the database.

OK.  I would start by confirming the requirement for being Internet-routable, 
especially with regard to the database, assuming that contains the stuff you 
want to protect.

If you can put your DB on a private network and have just the few machines 
which genuinely need access able to talk with it, that would probably help your 
security out by a useful amount...

[ ... ]
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
>
> 1) Does not seem feasible to continue to operate this way.

This approach can work for a while, but it's dangerous.

For instance, you can have services reappear after you apply a patch cluster, 
as a new version of the /etc/init.d scripts might be plunked down and turn 
stuff back on that you'd previous disabled....

> 2) As a short term measure I have applied ipfilter on several of our non
> production hosts. My manager has began to advocate putting it on all production
> systems now (about 15 hosts).

Host-based firewalls tend to be more useful on Windows boxes, since they can 
reduce viruses propogating outwards.  Not as important on a Solaris box.  It's 
better than nothing, but your network is still highly vulnerable a lot of 
things like IP spoofing via source-routing.

> 3) This option is good because it will allow us to apply stateless ACLs at
> the gateway and centralize the management of firewall functions.

Yes.  You can use a firewall as a bridge, not a router, if you don't want to 
adjust your subnetting and have to renetwork your production boxes.

Whether you use stateless rules or dynamic ones is more a matter of taste and 
how you've locked the boxes down.  The important thing is that the firewall 
will provide a chokepoint where you can inspect, block, and monitor traffic, as 
well as a spot to prevent people from spoofing internal IP addresses.

--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards