Pat, I think you're on the right track, but I would suggest maybe taking a
more holistic approach to your network. I don't think you've come close to
an exhaustive list of options.

For instance, option #1 is a basic hardening approach which involves
patching and disabling unneeded processes. This deals with security at the
application level. Options #2 & #3 deal with just filtering network
traffic. Is your only point of vulnerability via the network? Does it only
exist at services that are NOT in use? Or is it possible (or perhaps even
more likely) that services you want to allow through your filters are usable
attack vectors. So how about normalizing application traffic through a
proxy, or at least encryption and authentication?

Also, you mention a NIDS project you're undertaking, but what about attacks
against those systems that take place over encrypted channels or terminals
or simply aren't part of the mainstream vulnerability lexicon? What
monitoring and controls do you have to ensure that your authenticated users
are authorized users, and that those authorized users only do what they are
authorized to do? What about RBAC? Or a host-based IDS/IPS product?

I realize I've answered your questions with more questions. I hope I'm
giving you more food for thought regarding access control to your systems.
There's plenty more where that came from.

You have a lot of bases to cover and a lot of things to consider beyond the
three options you list below, all of which serve to reduce the risks of
compromise and loss.


PS - Since I hate the answer I just gave you, if you want my non-refundable
$0.02 worth of advice, go with #1 AND #2. Of the options you're already
considering, I think that gives you the most direct benefit.

-----Original Message-----
Subject: [fw-wiz] Host based vs network firewall in datacenter

These are the options as I see them:
1) Wide open - keep the hosts locked down tight and keep open services to a
2) Host based firewall - put ipf on the hosts
3) Network firewall behind the router - ???

1) Does not seem feasible to continue to operate this way.

2) As a short term measure I have applied ipfilter on several of our non
production hosts. My manager has began to advocate putting it on all
production systems now (about 15 hosts). At first I thought this would be a
bad idea, as a network firewall would ease administration and having to
administer seperate rule sets for each server would be unwieldy. However,
after reading the opinions of certain members of the list, I'm at a loss as
to how to proceed. I don't want to purchase something like:

"- Some of the products we're buying simply don't work
- Some of the products we're buying aren't being used
- There is no correlation between cost and effectiveness
of security products"

as MJR said last week. I'm interested in using the right tool for the job.
Is ipf on a production Sun 15k a good idea?

3) This option is good because it will allow us to apply stateless ACLs at
the gateway and centralize the management of firewall functions.

Bearing in mind that I'm still relatively new to this, and that I'm having
trouble bridging the gap between the way security should be done, and
actually implementing it, I'd appreciate any advice and help.

firewall-wizards mailing list