Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Firewall Placement Question
From: "J. Oquendo" <sil () infiltrated net>
Date: Thu, 21 Feb 2008 16:34:44 -0500
I would look into PacketFence or Branford Software's Campus Manager. I used it while doing work in the Uni environment. 

http://www.bradfordnetworks.com/products/overview.html
http://www.packetfence.org/
The biggest thing you failed to include in your comment was policy. How are the policies written for the students. What TOS' are in place for resnet use. You shouldn't expect a client NOT TO use P2P if they haven't been implicitly told "Terms of use legalese wording goes here states thou shall not use P2P on our network" (remember the student's tuition payments pay your salary (technically) so think of them as clients and not students). Policies go a long way when it comes time to cut off connections.
What should be done is control on all levels. What is the environment like, collapsed core, three tiered (access, distribution, core). Placing an IPS won't necessarily alleviate/resolve your issues. So you place an IPS and 20 firewalls in my way to block me from using P2P... I decide to tunnel, then what?
Look at how your network is designed and take excerpts from standards, and best practices: (Cisco SAFE... while not the epitome of what I would particularly call SAFE... Its a baseline) http://tinyurl.com/29cfto
Personally I'd start with re-vamping policies so no clients cry foul when you place them on a VLAN to nowhere. There is a lot you could do without a firewall and (uberBuzzworded) IPS if the design was carefully looked at, re-designed and deployed. Something I always refer to from Cisco CCSP studies "Secure Monitor Test Improve" in this case - Monitor (see what's going on) Secure (make the necessary changes you need to make) Improve (improve on those changes).
As for the answer to the buzzword hype... IPS = overrated. Placement... Depends on your network. If you're using Cisco routers and they can handle it, depending on what kind of network your running, (Collapsed Core, etc.) you could get by with some crafty CBAC's, VLANs to knowhere, syslog, some expect scripts. Get creative ;) ... I made myself a VoIP IPS using syslog and expect... Impressed myself for two minutes real world means little, my network differs from others. 

--
====================================================
J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]