Firewall Wizards mailing list archives
Re: Firewall Placement Question
From: "Aniket S. Amdekar" <aniket_zpm () yahoo com>
Date: Fri, 22 Feb 2008 03:11:55 -0800 (PST)
Hi I would like to suggest you to go for a solution that integrates the wireless security with the perimeter security of the university you are working with. SonicWALL could be an option to begin with. They have a Product for firewalls with wireless security. You also have an option to go for User Based security configuration where you can block specific users from accessing particular networks or websits. You can set a policy for the rouge access points which provide you with an option to configure NAC for the network jacks. Since you have said that Also being a university we have a hard time trusting our users and enforcing anti-virus installations and patching., you can group those users and apply special policies for them which would enable to control the sites being accessed. Most of the solutions available in the market will allow you to configure Guest profiles for the wireless users. If you already have purchased such a solution for your university you can use the following pointers for the deployment of the security policy throughout the network: · Guest Accounts for the wireless suers · Add a group of the students in the university and configure a special policy specifying the blocked and allowed conmtent, sites. · Configure a policy for the Rouge Access points (network jacks) specifying their ability to access the networks. · Configure a compliance policy for the network which wioll specify the minimum system configuration along with the software in order to access/enter the network. In this way you can enforce the installation of the antivirus software to the clients. · In order to take historically abusive users off the network, you can add them in a specific group and prohibit all the access to that group. · With the SonicWALL firewalls, you can configure the rules between zones, in your case it will be the server farm and the users in the network, and create exceptions if a user needs to access a particular port and later remove that exception from the system. · As far as the internal filtering is concerned, you can achieve that using the zones and the user groups, and configuring access rules between them. I wrote this article since I was working with the SonicWALL support and came across a lot of implementations on similar environments Specified by Jason. Thanks and Regards, Aniket Amdekar jason () tacorp com wrote: I would like to hear some thoughts on the placement of a firewall. My intent isn't to start a flame but to debate the usefulness of two technologies inside the network firewall vs. IPS's. The network which I manage is a university network that hasn't been looked after very well with regards to security and access control. Right now there is a head end firewall that's 'inverted' as we say - that is we allow everything and just block a few things. Between buildings we block a few ports on the l3 switches to 'contain outbreaks'. There are three major problems which we are trying to address separetely. 1. The Residence Halls are on the inside of the network. They are coming off this summer. 2. Wireless users are on the inside of the network. We are building a 'guest wireless' system that will be live this summer as well. 3. There are open network jacks all around campus and no kind of NAC in place. This isn't being addressed yet. Also being a university we have a hard time trusting our users and enforcing anti-virus installations and patching. Recently there has been a push to install a transparent firewall in front of the server farm. This is being done using a context on our firewall services module that protects (be it poorly) the border at the internet. However both the server network and internet border are being scanned by an IPS. The question is: given that we are working to take historically abusive users off the network, is it really worth the time to install a firewall in front of the servers or just use the IPS? I wonder about the labor required to pull this off for almost 200 servers (and Microsoft applications are a bitch). I fear it will be hell to manage all the excpetions, ie. one user in a different building needs access to a few administrative ports. Not to mention that after it's done we'll spend days trying to work out the bugs of things that 'should just work' and effects of application upgrades that change ports. Lastly, is anyone doing any kind of filtering inside the network or is only done at the border? Thoughts? Regards, Jason Mishka _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards --------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: syslog and network management, (continued)
- Re: syslog and network management david (Feb 23)
- Re: syslog and network management Brian Loe (Feb 25)
- Re: syslog and network management david (Feb 27)
- Re: syslog and network management ArkanoiD (Feb 29)
- Re: syslog and network management Timothy Shea (Feb 29)
- Re: syslog and network management Alejandro Ezequiel Fernández Preda (Feb 21)
- Re: syslog and network management Dave Piscitello (Feb 22)
- Re: syslog and network management Brian Loe (Feb 22)
- Re: syslog and network management Brian Loe (Feb 22)
- Re: Firewall Placement Question Aniket S. Amdekar (Feb 22)
- Re: Firewall Placement Question Dan Lynch (Feb 22)
- Re: Firewall Placement Question firewallwizards (Feb 22)
- Re: Firewall Placement Question J. Oquendo (Feb 22)
- Re: Firewall Placement Question Marcus J. Ranum (Feb 22)