Re: Host based vs network firewall in datacenter

[Alin-Adrian Anton <aanton () spintech ro>]

Devdas Bhagat wrote:
> On 07/06/05 12:33 -0500, Zurek, Patrick wrote:
>
> > Hi all,
> > I graduated from university not long ago and assumed my first job as
> > network administrator in a small datacenter.  I've been lurking here for
> > a while and reading the archives.  I've learned a lot from what many of
> > you have had to say, but I'm having difficulty making the jump from the
> > theory behind the way things should be run (ie. the network design maps
> > that show the little switch, router & firewall symbols) and the practical
> > applications of that.  I was also reluctant to make this post in fear
> > of getting flamed for having what will come across as a cluess attitude
> > about network security.  Instead of flaming, please correct me, I want
> > to learn.

No matter what kind of network you have, you need at least one firewall 
at the border with the Internet.

Having a datacenter without a fast firewall at the border, is simply insane.

The machine at the border can be some expensive hardware, like a cisco, 
or can be a powerful BSD-based packet filter, sitting on powerful 
hardware (the best you can get, Intel based).

If you chose cisco-like solution, chose an expensive one. You defenately 
need it (because expensive ones can handle smarter ACLs and keep state 
much better, and also can resist to DDoS over 100 Mbps. Cheap ones may die).

If you chose BSD solution use ipfw (fastest), or pf (best in terms of 
what it can do). Pf on FreeBSD with Intel "FXP" cards is able to use the 
hardware chip for checking CRC of the packets. This feature is only 
available on FreeBSD, and as far as I know nobody ported it to other OS. 
Having hardware to check for checksums greatly improves performance, 
even over ipfw.

I would not chose a linux based solution for firewalling high loads of 
evil traffic.

Even better, if you can afford it, you can have both: the cisco and the 
BSD, cisco sitting maybe in front of the BSD. This way you also keep a 
simple and good control of what goes in and what goes out, and you can 
cut down packets which the hardware firewall missed (it happens).

In case of a serious DDoS problem, you can even enable statefull ACL 
version (keep it somewhere) on the BSD box, to really cut down whatever 
the hardware firewall skips into the internal network.

On the inside land, it may be a very good idea to use any kind of 
firewall you want on each machine, in order to limit access to SNMP (if 
you are going to monitor them via SNMP), and so on. You should use a 
different switch for the monitoring connection, such that an internal 
server cannot impersonate you in any way (arp, ISN prediction, etc).

Limit all services to what they really need to accept, and nothing else. 
If they are not going to use the LAN, always bind them on the local 
interface.

Each host inside the lan should not trust anyone from the LAN, so 
writing down what is strictly needed for each of them is a good thing. 
Implementing it is the next step, I just pointed some ideas.

Always consider an attacker is somewhere inside, and try to evoid 
exposing any other machine to him.

Just my opinions.

Yours,
--
Alin-Adrian Anton
GPG keyID 0x183087BA (B129 E8F4 7B34 15A9 0785  2F7C 5823 ABA0 1830 87BA)
gpg --keyserver pgp.mit.edu --recv-keys 0x183087BA

"It is dangerous to be right when the government is wrong." - Voltaire
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards