firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Isolating internal servers behind firewalls (Behm, Jeffrey L.)
2. Re: Isolating internal servers behind firewalls (Bill Royds)
3. Re: Isolating internal servers behind firewalls
(Marcin Antkiewicz)
4. Re: Isolating internal servers behind firewalls (jason@tacorp.com)
5. Re: Isolating internal servers behind firewalls (K K)
6. Re: Isolating internal servers behind firewalls (sai)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Sep 2007 08:09:17 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D19637CE@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"
You may end up opening up so much stuff in the firewall(s) that they
pretty much become swiss cheese anyways. And much of the stuff you would
open up, would be the same things that would be used as an attack
vector.
How many new exploits come in via chargen nowadays, which you could
block vs. how many come in via Microsoft networking (Ports 445, 137,
139, etc.), which you would have open, if you want file shares to work.
If you find you have a hacked firewall, you have much bigger problems
than broken access from clients to servers.
That centralized maintenance the security group wants *can* be a pain in
the rearend, depending on how dynamic your environment is, whether you
let just anyone come in and get a DHCP address, etc. Who's
watching/auditing the security group to ensure they are implementing
everything correctly. That maintenance, when it does become such a pain,
always gets migrated down to the low man on the totem pole, where there
is a greater risk of improper implementation. I.E. You probably won't
have the senior InfoSec guy implementing rules for individual
users/machines; That's the new guy's job, and Mr. BigShot doesn't have
time for such menial maintenance.
It's a trade-off between securing down to the gnat's-rearend at
additional cost/maintenance vs. having "adequate" security at lower cost
& easier maintenance. And don't forget that there's always the layer 8
requirements to deal with based on what just came out in E-Week.
Jeff (Disclaimer: My opinions are my own, and do not necessarily reflect
those of any other entity)
On Monday, May 07, 2007 2:35 PM, Dan Lynch said:
How prevalent is it to segregate internal use servers away from internal
clients behind firewalls? What benefits might we gain from the practice?
What threats are we protected from?
The firewall/security group argues that servers and clients should exist
in separate security zones, and that consolidating servers behind
firewalls allows us to
- Control which clients connect to which servers on what ports
- Centralized administration of that network access
- Centralized logging of network access
- a single point for intrusion detection and prevention measures
These benefits protect us from risk associated with internal attackers
and infected mobile devices or vendor workstations.
On the other hand, the server team counters that
- troubleshooting problems becomes more difficult
- firewall restrictions on which workstations can perform administration
makes general maintenance inconvenient, esp. in an emergency
- the threats we're countering are exceedingly rare
- a broken (or hacked) firewall config breaks all access to servers if
consolidated behind firewalls
Any and all thoughts are appreciated.
------------------------------
Message: 2
Date: Sat, 8 Sep 2007 14:00:09 -0400
From: "Bill Royds" <firewall@royds.net>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000301c7f242$18e45910$6602a8c0@BillDell>
Content-Type: text/plain; charset="us-ascii"
> From: Dan Lynch
> Sent: Monday, May 07, 2007 3:35 PM
> How prevalent is it to segregate internal use servers away
> from internal
> clients behind firewalls? What benefits might we gain from
> the practice?
> What threats are we protected from?
>
In my experience, having servers on a separate segment controlled by
routers/switches with ACL is the most common configuration, with appliance
firewalls segregating segments also common. You enumerate many of the
advantages.
> The firewall/security group argues that servers and clients
> should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures
>
> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.
>
Counter arguments to disadvantages below.
> On the other hand, the server team counters that
>
> - troubleshooting problems becomes more difficult
Actually segregation will ease troubleshooting, since traffic is monitored and
should be logged. Since both domain controllers and application servers are on
the same segment, the only traffic across the internal firewall should be client
access to these servers.
> - firewall restrictions on which workstations can perform
> administration
> makes general maintenance inconvenient, esp. in an emergency
If you have proper change control management, this should not be a problem.
In fact, a good firewall helps guarantee controlled change by ensuring
documentation of all changes to server configurations. During an emergency, you
don't want uncontrolled changes which could make emergency worse.
> - the threats we're countering are exceedingly rare
Internal threats are the most common kind, more often mistakes rather than
vicious, but causing damage just the same.
> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls
No more so than a broken or hacked server configuration. The same problem of
blocked access happens if routing is broken as well, so it really is a non
issue.
>
> Any and all thoughts are appreciated.
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
------------------------------
Message: 3
Date: Sun, 9 Sep 2007 23:33:53 -0500 (CDT)
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: DLynch@placer.ca.gov
Message-ID: <Pine.LNX.4.64.0709092201220.6749@runt.uhhh.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Hello,
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
> What threats are we protected from?
I asked google for more information - you asked this question before, but
what came back could not be used verbatim in a meeting with the sysadmin
group. I could add more vague suggestions, but it will not help.
You need to pay someone to look at your environment (employee or
contractor; competent; I am not interested), and produce a set of
policies and technical measures to implement them.
That will not happen without director or c-level buy-in, and support on
that level is a prerequisite for success (ensures that you will not get
fired for obstructing projects and being annoying).
--
Marcin Antkiewicz
------------------------------
Message: 4
Date: Sun, 9 Sep 2007 13:11:33 -0400 (EDT)
From: jason@tacorp.com
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20070909130407.Y18613@phoenix.cnwr.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Dan,
This is something our organization has just begun doing. We are a state
university that has student users on the inside of the network and we have
some of the same fears.
After we began designing it we realized it was actually easier than it
sounds. We have a cisco firewall services module that we us for our head
end. We simply just created another context on this unit but the key was
that it can be done in 'transparent mode' which actually bridges the
interfaces instead of routing them. So, for a given network, you can move
a machine behind a firewall and not even have to renumber it. If it
doesn't work, patch it back to the other side and go find out what was
wrong. It's as simple as having 1 vlan that's not protected and 1 vlan
that's protected.
If you can clearly define your services into roles and create clean
object-groups out of them, it's easy enough to drop a server into a role
then move it to the other vlan.
Jason Mishka - "I'm like a Subway in a land of McDonalds..."
On Mon, 7 May 2007, Dan Lynch wrote:
> Greetings list,
>
> I'm looking for opinions on internal enterprise network firewalling. Our
> environment is almost exclusively Microsoft Active Directory-based.
> There are general purpose file servers, AD domain controllers, SMS
> servers, Exchange servers, and MS-SQL-based datase app servers. In all
> about 80+ servers for over 2500 users on about 2000 client machines, all
> running Windows XP.
>
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
> What threats are we protected from?
>
> The firewall/security group argues that servers and clients should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures
>
> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.
>
> On the other hand, the server team counters that
>
> - troubleshooting problems becomes more difficult
> - firewall restrictions on which workstations can perform administration
> makes general maintenance inconvenient, esp. in an emergency
> - the threats we're countering are exceedingly rare
> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls
>
> Any and all thoughts are appreciated.
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 5
Date: Sat, 8 Sep 2007 14:34:51 -0500
From: "K K" <kkadow@gmail.com>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<dc718edc0709081234q6a21d3b9qf7745323ddb27ed@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 5/7/07, Dan Lynch <DLynch@placer.ca.gov> wrote:
> I'm looking for opinions on internal enterprise network firewalling. Our
> environment is almost exclusively Microsoft Active Directory-based.
> There are general purpose file servers, AD domain controllers, SMS
> servers, Exchange servers, and MS-SQL-based datase app servers. In all
> about 80+ servers for over 2500 users on about 2000 client machines, all
> running Windows XP.
>
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
It's common to isolate production servers from development and from
users, or even to isolate servers from other servers. Aside from the
obvious, having a strict "that which is not explicitly permitted is
denied" policy ensures that new services just don't appear out of the
blue without some formal process and approval. Also valuable to take
into account is that the policy should not only restrict what is
permitted inbound towards servers, but what is permitted out from the
servers towards other internal segments, and towards the Internet.
I've also dealt with sites where the server admins convinced
management that a strong policy was too much of a hardship, and that
the firewall group should instead be required to implement a
"negative" policy, of only blocking the bad staff. This was a
disaster.
If the company is not going to be willing to implement a strong
"positive" firewall policy, then your needs might be better served by
installing NIDS.
> What threats are we protected from?
Nachi, Welchia, SQL-Slammer, Joe in accounts-payable, etc.
In a pure Microsoft monoculture, you have to consider not only the
obvious risk of an epidemic due to a fast-spreading worm, but also
that uniform system administration can mean uniform exposure when an
administrator's password is compromised.
Kevin
------------------------------
Message: 6
Date: Mon, 10 Sep 2007 12:34:04 +0500
From: sai <sonicsai@gmail.com>
Subject: Re: [fw-wiz] Isolating internal servers behind firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<41d04d600709100034q27050241l5ca8240bb62fcb7e@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I'd agree with both view points :-)
Which way you go, depends on what your priorities are.
However, [a] I reckon that trouble shooting is easier if you know
whats going on in your network. The firewall logs will usually help in
this, not hinder you.
[b] most threats are very rare, doesn't mean that you should ignore them all.
sai
On 5/8/07, Dan Lynch <DLynch@placer.ca.gov> wrote:
> Greetings list,
>
> I'm looking for opinions on internal enterprise network firewalling. Our
> environment is almost exclusively Microsoft Active Directory-based.
> There are general purpose file servers, AD domain controllers, SMS
> servers, Exchange servers, and MS-SQL-based datase app servers. In all
> about 80+ servers for over 2500 users on about 2000 client machines, all
> running Windows XP.
>
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
> What threats are we protected from?
>
> The firewall/security group argues that servers and clients should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures
>
> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.
>
> On the other hand, the server team counters that
>
> - troubleshooting problems becomes more difficult
> - firewall restrictions on which workstations can perform administration
> makes general maintenance inconvenient, esp. in an emergency
> - the threats we're countering are exceedingly rare
> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls
>
> Any and all thoughts are appreciated.
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 17, Issue 7
***********************************************
No comments:
Post a Comment