Zurek, Patrick wrote:
> I graduated from university not long ago and assumed my first job as network
> administrator in a small datacenter. I've been lurking here for a while and
> reading the archives. I've learned a lot from what many of you have had to say,
> but I'm having difficulty making the jump from the theory behind the way things
> should be run (ie. the network design maps that show the little switch, router
> & firewall symbols) and the practical applications of that.

Well, congratulations on your new position. The best way to move from theory
to practice is to sent up a small test network or two, and see what "doing it
for real (almost)" is like.

There are two books that you need to get, read, and then re-read until you've
gotten their contents down: "TCP/IP Network Administration", and "Building
Internet Firewalls".

> I was also reluctant to make this post in fear of getting flamed for having
> what will come across as a cluess attitude about network security. Instead
> of flaming, please correct me, I want to learn.

While it's true that this list has some fine arguments, most of them are
friendly. :-)

> I'd like to solicit some advice on a firewall implementation. Our solaris
> only site has two main components, a web presence which connects to a backend
> application running on top of Oracle, and a custom application (which
> unfortunately also runs on the same host as the database) to which our clients
> connect. So all our servers need to be internet facing including the database.

OK. I would start by confirming the requirement for being Internet-routable,
especially with regard to the database, assuming that contains the stuff you
want to protect.

If you can put your DB on a private network and have just the few machines
which genuinely need access able to talk with it, that would probably help your
security out by a useful amount...

[ ... ]
> These are the options as I see them:
> 1) Wide open - keep the hosts locked down tight and keep open services to a minimum.
> 2) Host based firewall - put ipf on the hosts
> 3) Network firewall behind the router - ???
> 1) Does not seem feasible to continue to operate this way.

This approach can work for a while, but it's dangerous.

For instance, you can have services reappear after you apply a patch cluster,
as a new version of the /etc/init.d scripts might be plunked down and turn
stuff back on that you'd previous disabled....

> 2) As a short term measure I have applied ipfilter on several of our non
> production hosts. My manager has began to advocate putting it on all production
> systems now (about 15 hosts).

Host-based firewalls tend to be more useful on Windows boxes, since they can
reduce viruses propogating outwards. Not as important on a Solaris box. It's
better than nothing, but your network is still highly vulnerable a lot of
things like IP spoofing via source-routing.

> 3) This option is good because it will allow us to apply stateless ACLs at
> the gateway and centralize the management of firewall functions.

Yes. You can use a firewall as a bridge, not a router, if you don't want to
adjust your subnetting and have to renetwork your production boxes.

Whether you use stateless rules or dynamic ones is more a matter of taste and
how you've locked the boxes down. The important thing is that the firewall
will provide a chokepoint where you can inspect, block, and monitor traffic, as
well as a spot to prevent people from spoofing internal IP addresses.


firewall-wizards mailing list