mailing list archives
Host based vs network firewall in datacenter
From: "Zurek, Patrick" <pzurek () uillinois edu>
Date: Tue, 7 Jun 2005 12:33:53 -0500
I graduated from university not long ago and assumed my first job as network administrator in a small datacenter. I've
been lurking here for a while and reading the archives. I've learned a lot from what many of you have had to say, but
I'm having difficulty making the jump from the theory behind the way things should be run (ie. the network design maps
that show the little switch, router & firewall symbols) and the practical applications of that. I was also reluctant
to make this post in fear of getting flamed for having what will come across as a cluess attitude about network
security. Instead of flaming, please correct me, I want to learn.
I'd like to solicit some advice on a firewall implementation. Our solaris only site has two main components, a web
presence which connects to a backend application running on top of Oracle, and a custom application (which
unfortunately also runs on the same host as the database) to which our clients connect. So all our servers need to be
internet facing including the database. Our servers range from small Sun V100s to a F15k. We do not have a firewall
or a NIDS and we do not have administrative control of the router on which to apply stateless ACLs. This was the
situation when I arrived. Fortunately, our hosts are properly configured and reasonably hardened by a competent system
adminstrator. Just recently I've had some luck with management in getting a span port enabled on the switch - in a
month or so I hope to have up a BSD monitoring platform running snort/sguil off a dedicated tap.
These are the options as I see them:
1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
2) Host based firewall - put ipf on the hosts
3) Network firewall behind the router - ???
1) Does not seem feasible to continue to operate this way.
2) As a short term measure I have applied ipfilter on several of our non production hosts. My manager has began to
advocate putting it on all production systems now (about 15 hosts). At first I thought this would be a bad idea, as a
network firewall would ease administration and having to administer seperate rule sets for each server would be
unwieldy. However, after reading the opinions of certain members of the list, I'm at a loss as to how to proceed. I
don't want to purchase something like:
"- Some of the products we're buying simply don't work
- Some of the products we're buying aren't being used
- There is no correlation between cost and effectiveness
of security products"
as MJR said last week. I'm interested in using the right tool for the job. Is ipf on a production Sun 15k a good idea?
3) This option is good because it will allow us to apply stateless ACLs at the gateway and centralize the management of
Bearing in mind that I'm still relatively new to this, and that I'm having trouble bridging the gap between the way
security should be done, and actually implementing it, I'd appreciate any advice and help.
Thanks for reading,
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
- Host based vs network firewall in datacenter Zurek, Patrick (Jun 10)