Firewall Wizards: Re: Facts, not Fiction

[Chris Brenton <cbrenton () sover net>]

Bennett Todd wrote:

> > I guess I have a bit of a problem with blanket statements like this
> > one. It insinuates that there is a "one size fits all" solution to
> > protecting a network which is clearly not the case. A risk analysis
> > should be performed in order to determine what level of security is
> > actually required.
> I hadn't really thought about it in as many words before, but now that
> you rub my nose in it, I guess I have come to endorse a bit of a ``one
> size fits all'' approach to firewalls. Really, it's more like a fewsizes
> fit all, though.
I had no intentions of "rubbing anyone's nose" on this issue. You are
absolutely right. When you find something that works, it's human nature to
stick with it.


> - If it's a tiny shop with a trivial security policy and a near-zero
>   budget, set 'em up with a trivial little firewall based on my OS of
>   choice (Red Hat Linux)
I've done this myself. The bonus I see to this is that if your client does
not understand the system, they are less likely to shoot themselves in the
foot. Checking logs now becomes a bit of a problem though. An easy fix is to
simply parse the logs and dump them in a mail file so the local admin can
pick them up with a POP or IMAP client. This of course assumes that they
will at lease understand what they are looking at.


> - If there's enough more money around to be able to afford it, toss a
>   Cisco 2500-series router just outside the above fw configured as a
>   screening router.
Depends on the connect speed. The 2500 is a "run from flash" machine which
makes it a little slow compared to the larger boxes (especially once you add
access lists). If the connect speed is 384K or less (common for small
shops), it should be fine. If it's a full T1, look to a faster router.


> My feeling is that a risk analysis is valuable, but that you only really
> get the benefit of it when you have a nearly-infinite budget; when funds
> are tight the cost of the detailed analysis comes out of the
> implementation budget,
This depends on how "in depth" you want to get. To go back to my original
examples, an evaluation of the Mac only network could easily take place
during the initial planning meeting. With the case involving the bank, you
are absolutely right. I would expect to spend at least a week or more
performing the evaluation before I would make any specific suggestion. Yes
this adds to the cost of the implementation but it could be considered
negligible compared to what the company has to lose.

I've found that this process is somewhat self adjusting. The companies that
have the most to lose are usually in the best position to afford going
through a needs analysis. Again, this goes back to the point of "one size
does not fit all". Some companies will need to have a real evaluation
performed while others can get away with just a quick review.

Cheers,

Chris




******************
cbrenton () sover net
http://www.amazon.com/exec/obidos/ISBN=0782120822/9715-9242453-752818

Nothing is fool-proof to a sufficiently talented fool.