Firewall Wizards mailing list archives
RE: Host based vs network firewall in datacenter
From: "Paul Melson" <psmelson () comcast net>
Date: Mon, 13 Jun 2005 13:11:35 -0400
Pat, I think you're on the right track, but I would suggest maybe taking a more holistic approach to your network. I don't think you've come close to an exhaustive list of options. For instance, option #1 is a basic hardening approach which involves patching and disabling unneeded processes. This deals with security at the application level. Options #2 & #3 deal with just filtering network traffic. Is your only point of vulnerability via the network? Does it only exist at services that are NOT in use? Or is it possible (or perhaps even more likely) that services you want to allow through your filters are usable attack vectors. So how about normalizing application traffic through a proxy, or at least encryption and authentication? Also, you mention a NIDS project you're undertaking, but what about attacks against those systems that take place over encrypted channels or terminals or simply aren't part of the mainstream vulnerability lexicon? What monitoring and controls do you have to ensure that your authenticated users are authorized users, and that those authorized users only do what they are authorized to do? What about RBAC? Or a host-based IDS/IPS product? I realize I've answered your questions with more questions. I hope I'm giving you more food for thought regarding access control to your systems. There's plenty more where that came from. :) You have a lot of bases to cover and a lot of things to consider beyond the three options you list below, all of which serve to reduce the risks of compromise and loss. PaulM PS - Since I hate the answer I just gave you, if you want my non-refundable $0.02 worth of advice, go with #1 AND #2. Of the options you're already considering, I think that gives you the most direct benefit. -----Original Message----- Subject: [fw-wiz] Host based vs network firewall in datacenter These are the options as I see them: 1) Wide open - keep the hosts locked down tight and keep open services to a minimum. 2) Host based firewall - put ipf on the hosts 3) Network firewall behind the router - ??? 1) Does not seem feasible to continue to operate this way. 2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a network firewall would ease administration and having to administer seperate rule sets for each server would be unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed. I don't want to purchase something like: "- Some of the products we're buying simply don't work - Some of the products we're buying aren't being used properly - There is no correlation between cost and effectiveness of security products" as MJR said last week. I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea? 3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of firewall functions. Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way security should be done, and actually implementing it, I'd appreciate any advice and help. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Transitive Trust: 40 million credit cards hack'd, (continued)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Host based vs network firewall in datacenter sin (Jun 30)
- Re: Host based vs network firewall in datacenter Kevin (Jun 16)