RE: Host based vs network firewall in datacenter

["Johann van Duyn" <johann () vanduyn co uk>]

Hi, Patrick...

MJR should chip in, since his posts seem to have caused you some mental anguish. (Don't feel alone...)

Option 1 is not to be recommended, although you probably could get away with it if your Unix admin is really good AND 
he/she/it has a good understudy. But if a server falls, expect to hear all sorts of "interesting" questions regarding 
due care, negligence, etc. from lawyers, senior management and the like.

Option 2 could work OK, but you'll need to glue the logs from various servers together if you wanted to form a good 
picture of what's coming at your network... and changing settings globally will become a pain in the posterior.

Option 3 works best for most people, but the downside here is that one slip-up could potentially leave your whole 
network vulnerable. It does, however, give you the option of defining DMZ subnets, something I would recommend: put 
your DB and App servers in separate DMZ compartments, and manage how they talk to one another.

Best option yet is to do all three, or at least options 1 and 3. (But leave the "wide open" part out from option 1.) 
Lock the hosts down really tightly, and put an equally tightly configured application proxy firewall in front of them. 

(Note: Spec the APF well when buying; they do introduce lag, and a unit that cannot handle your bandwidth gracefully 
will give you and the site's users a rather nasty experience. Also, question the vendor on the technical details of 
their firewall's proxies, so that you get a unit that agrees with your take on what should and should not be coming at 
your servers, and that proxies exist for as many of the protocols you use as possible. Also quiz them on the procedure 
for writing custom proxies, should that ever be required... but prepare to pay big $$$/£££/€€€ for that.)

I would add an instance of Snort to the mix as you are planning to do, and then consider, after a few months of 
monitoring Snort logs, whether any of the IPS appliances on the market would be of much use. But do keep an eye out for 
the nonsense that IPS vendors are likely to throw your way if you ask them, and question the relevance, accuracy and 
technical details of every specification they throw at you. If you're running a decent application proxy firewall AND 
your hosts are well configured and properly locked down, you probably don't really need the IPS unit.

If at all possible, divorce your custom app from the DB server... that configuration is just plain ugly, man. You 
really don't want a vulnerability in one to lead to a compromise of the other. (If you can't, you are going to have to 
guard that server with severe jealousy for as long as it is alive.)

Hope this helps some...

_____________________________
J o h a n n   v a n   D u y n 

| -----Original Message-----
[SNIP! -- JvD] 
| admin () honor icsalabs com] On Behalf Of Zurek, Patrick
[SNIP! -- JvD] 
| 
| These are the options as I see them:
| 1) Wide open - keep the hosts locked down tight and keep open services to
| a minimum.
| 2) Host based firewall - put ipf on the hosts
| 3) Network firewall behind the router - ???
| 
| 1) Does not seem feasible to continue to operate this way.
| 
| 2) As a short term measure I have applied ipfilter on several of our non
| production hosts.  My manager has began to advocate putting it on all
| production systems now (about 15 hosts).  At first I thought this would be
| a bad idea, as a network firewall would ease administration and having to
| administer seperate rule sets for each server would be unwieldy. However,
| after reading the opinions of certain members of the list, I'm at a loss
| as to how to proceed.  I don't want to purchase something like:
| 
| "- Some of the products we're buying simply don't work
| - Some of the products we're buying aren't being used
|         properly
| - There is no correlation between cost and effectiveness
|         of security products"
| 
| as MJR said last week.  I'm interested in using the right tool for the
| job.  Is ipf on a production Sun 15k a good idea?
| 
| 3) This option is good because it will allow us to apply stateless ACLs at
| the gateway and centralize the management of firewall functions.
| 
| Bearing in mind that I'm still relatively new to this, and that I'm having
| trouble bridging the gap between the way security should be done, and
| actually implementing it, I'd appreciate any advice and help.
| 
[SNIP! -- JvD]