Re: Firewall Placement Question

["Aniket S. Amdekar" <aniket_zpm () yahoo com>]

Hi 
   
    
   I would like to suggest you to go for a solution that integrates the wireless security with the perimeter security 
of the university you are working with. SonicWALL could be an option to begin with. They have a Product for firewalls 
with wireless security.  
   You also have an option to go for User Based security configuration where you can block specific users from 
accessing particular networks or websits. You can set a policy for the rouge access points which provide you with an 
option to configure NAC for the network jacks.
    
   Since you have said that “Also being a university we have a hard time trusting our users and enforcing anti-virus 
installations and patching.”,  you can group those users and apply special policies for them which would enable to 
control the sites being accessed.  
   Most of the solutions available in the market will allow you to configure Guest profiles for the wireless users.
   
   
  If you already have purchased such a solution for your university you can use the following pointers for the 
deployment of the security policy throughout the network:
   
  ·         Guest Accounts for the wireless suers
  ·         Add a group of the students in the university and configure a special policy specifying the blocked and 
allowed conmtent, sites.
  ·         Configure a policy for the Rouge Access points (network jacks) specifying their ability to access the 
networks.
  ·         Configure a compliance policy for the network which wioll specify the minimum system configuration along 
with the software in order to access/enter the network. In this way you can enforce the installation of the antivirus 
software to the clients.
  ·         In order to take historically abusive users off the network, you can add them in a specific group and 
prohibit all the access to that group.
  ·         With the SonicWALL firewalls, you can configure the rules between zones, in your case it will be the server 
farm and the users in the network, and create exceptions if a user needs to access a particular port and later remove 
that exception from the system.
  ·         As far as the internal filtering is concerned, you can achieve that using the zones and the user groups, 
and configuring access rules between them.
   
  I wrote this article since I was working with the SonicWALL support and came across a lot of implementations on 
similar environments
  Specified by Jason. 
   
   
  Thanks and Regards,
  Aniket Amdekar


jason () tacorp com wrote:  I would like to hear some thoughts on the placement of a firewall. My 
intent isn't to start a flame but to debate the usefulness of two 
technologies inside the network firewall vs. IPS's.

The network which I manage is a university network that hasn't been looked 
after very well with regards to security and access control. Right now 
there is a head end firewall that's 'inverted' as we say - that is we 
allow everything and just block a few things.

Between buildings we block a few ports on the l3 switches to 'contain 
outbreaks'.

There are three major problems which we are trying to address separetely.

1. The Residence Halls are on the inside of the network. They are coming 
off this summer.

2. Wireless users are on the inside of the network. We are building a 
'guest wireless' system that will be live this summer as well.

3. There are open network jacks all around campus and no kind of NAC in 
place. This isn't being addressed yet.

Also being a university we have a hard time trusting our users and 
enforcing anti-virus installations and patching.

Recently there has been a push to install a transparent firewall in front 
of the server farm. This is being done using a context on our firewall 
services module that protects (be it poorly) the border at the internet. 
However both the server network and internet border are being scanned by 
an IPS.

The question is: given that we are working to take historically abusive 
users off the network, is it really worth the time to install a firewall 
in front of the servers or just use the IPS?

I wonder about the labor required to pull this off for almost 200 servers 
(and Microsoft applications are a bitch). I fear it will be hell to 
manage all the excpetions, ie. one user in a different building needs 
access to a few administrative ports. Not to mention that after it's done 
we'll spend days trying to work out the bugs of things that 'should just 
work' and effects of application upgrades that change ports.

Lastly, is anyone doing any kind of filtering inside the network or is 
only done at the border?

Thoughts?

Regards,
Jason Mishka
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards