Hash: SHA1

Patrick Zurek said:
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services to
> a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???

> 1) Does not seem feasible to continue to operate this way.

I agree 100%.

> 2) As a short term measure I have applied ipfilter on several of our non
> production hosts. My manager has began to advocate putting it on all
> production systems now (about 15 hosts). At first I thought this would be
> a bad idea, as a network firewall would ease administration and having to
> administer seperate rule sets for each server would be unwieldy. However,
> after reading the opinions of certain members of the list, I'm at a loss
> as to how to proceed.

> I'm interested in using the right tool for the
> job. Is ipf on a production Sun 15k a good idea?

I guess it all depends on your workload of the servers. If they are
handling 1000's of packets per second, then the overhead of doing packet
filtering on each client might be a bit overwhelming.

> 3) This option is good because it will allow us to apply stateless ACLs at
> the gateway and centralize the management of firewall functions.

You might want to look into a Linux/BSD system setup as an in-line
firewall. Basically, the system has two NICs setup as a bridge. The
traffic IP addresses don't get translated, but the system can filter using
IPTables rules. I think the latest Linux Journal discussed this setup.

If you can't convince your bosses this step is necessary, present these
scenarios to them:
1: Someone starts sending DoS traffic to your systems as they are no.
Each machine has to investigate each packet and drop it themselves, plus
intra-server traffic will be impacted.
2: Same situation, but you have a single firewall as a chokepoint. This
single system is stopping all those 'bad' packets before they ever have a
chance to get to your servers. This keeps your internal network available
for the valuable traffic and the trash off it.


- - - - -
Wait for that wisest of all counselors, Time.
-- Pericles
"I do not fear computer,I fear the lack of them."
-- Isaac Asimov
GPG fingerprint:9EE8 ABAE 10D3 0B55 C536 E17A 3620 4DCA A533 19BF

Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCqf7wNiBNyqUzGb8RAit5AJ9jMIltbrBZ4PmuJMLynX Dix+209wCeMf3M
firewall-wizards mailing list