Saturday, April 23, 2011

firewall-wizards Digest, Vol 57, Issue 4

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Query: Role of Firewalls within a SAN environment itself
not just the periphery (brian dorsey)
2. Re: Query: Role of Firewalls within a SAN environment itself
not just the periphery (david@lang.hm)
3. Cisco ASA5585 (Morley, Morven)


----------------------------------------------------------------------

Message: 1
Date: Tue, 19 Apr 2011 12:34:55 +0100
From: brian dorsey <briandorsey252@gmail.com>
Subject: Re: [fw-wiz] Query: Role of Firewalls within a SAN
environment itself not just the periphery
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTimLLN-_6ExzfZX+BEA4GHHC9jCSFA@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi Brandon and Scott,

Apologies for the late reply, I was out of office.

I've being reading more into the subject of SAN's and have realized that
placing firewalls within the switch fabric itself is not practical (as
Brandon pointed out) and that firewalls are better suited upstream of the
SAN in practice (Scott pointed out).

That said I do see a role for firewalls where end-to-end communication is
required. In the sense that if one considers iSCSI and FC over IP to another
SAN island on a remote network outside the enterprise, it would seem prudent
that the gateway firewall be configured to allow the iSCSI port, the IPSec
port for FC over IP and restrict the source IP of whom can talk iSCSI and
IPSec etc. That is a firewall should provide access to the relevant SAN
traffic, no more and no less.

Similarly, I see from a management perspective of a switch, one should
provide IP address (inclusive of port and protocol) access controls on
switches capable of this. For example, restrict who can access ssh, SNMP
(GUI interface) and RADIUS services such as those of the Cisco MDS 9000
series for switch management.

Also, if the Administrators IP range is on a different subnet to the switch
fabric, then the intermediary firewall between the internal enterprise
subnets needs to also permit ssh, SNMP and RADIUS traffic.

In other words, one must consider the security infrastructure as a whole.

What I have also learned over the past day or so, is the idea of RBAC on CLI
interface, VSAN and ZONES where one can define fine-grained access controls
of command execution permissions for switch management and application
server access to virtual isolated environments and specific LUN access.
There is a huge amount of knowledge required as I see it to properly secure
SAN's!!

Note, I am not an IT administrator and do not have access to Cisco switches
or any other commercial systems of that nature. I am just interested in
learning about SANs and Cloud computing even if its from a theoretical
perspective. But I do want to visualize how such a network would be
configured right down to the actual command-line arguments used.

If anyone has any pointers to other kinds of switches used apart from the
Cisco doc's I've been reading, let me know. Similarly, if there are any open
source like OS that are similar to the Cisco MDS or other commercial
products out there, that I could download and try out (even from a iSCSI
point of view since I don't have any FC equipment to play with) I'd be glad
to hear about them. I have come across FreeNAS and Openfiler but these don't
seem to provide the switching capabilities. Perhaps I am wrong.

Thanks for your input guys,
regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110419/900ef558/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 19 Apr 2011 21:13:45 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] Query: Role of Firewalls within a SAN
environment itself not just the periphery
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1104192110180.12728@asgard.lang.hm>
Content-Type: text/plain; charset="us-ascii"; Format="flowed"

On Wed, 13 Apr 2011, Fetch, Brandon wrote:

> Brian,
> I think you may be missing a single key bit of information in your discussion - fiber channel (FC) layer 2 (L2) is immensely different form Ethernet L2.
> Yes, both protocols run IP "on top" (at layer 3) and both run on fiber but to be able to put a firewall and/or filtering device between hosts, FC switches, or disk you're talking a whole different animal.
>
> Not to leave specifics out of a reply to your question but the details would involve a rather lengthy post.
> Suffice it to say that involving any sort of filtering on a fiber channel (FC) switch would seriously degrade disk performance and by extension not be usable in a production environment.

that all depends on the latency that the filtering adds.

> Though I'm not familiar with the specific documentation you were reviewing, I'd bet money the filtering they reference is more for the management interface rather than the VSAN interfaces or physical ports themselves: limiting what hosts/networks are allowed to connect/reach the device for management and via which protocols.

there are switches that you can configure what systems~ are allowed to
access what devices at the switch level. These sorts of things are very
course, and frequently just lock down what ports are allowed to talk to
what other ports, but sometimes will go beyond that. With the proper
hardware support in the switch they can operate at wire speed with very
little latency (after all, they are only looking at the address, not the
contents)

given that you can buy ethernet switches that can implement ACLs at 10Gb
wire speed, the fact that you can do 4Gb fiberchannel filtering of this
type should not be a shock.

David Lang

> The term VSAN is something of a misnomer (used mainly to provide an easily understood parallel to Ethernet) in that it's more of an L2 descriptor. It's used to segment & identify the disk frames as they traverse the switch and to verify whether a specific world-wide-name (WWN - think of it like an Ethernet MAC address) is allowed to speak on a particular VSAN. I'm not sure if anyone's ever reported someone successfully impersonating another's WWN while on a FC switch and successfully reading or writing to disks on the assigned VSAN.
>
> Essentially where an Ethernet hosts (and switches) can "automagically" build their forwarding tables using ARP and rARP requests or broadcasts, an FC switch will have to have these tables built statically by the operator.
> This goes more to having absolute confirmation a block was received & written by a device (FC) rather than a system being able to wait for timeouts or errors and possibly re-request the same information (Ethernet).
>
> I hope that helps explain why you can't "firewall" a SAN.
>
> Regards,
> Brandon
>
> ________________________________
> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of brian dorsey
> Sent: Tuesday, April 12, 2011 6:12 AM
> To: firewall-wizards@listserv.icsalabs.com
> Subject: [fw-wiz] Query: Role of Firewalls within a SAN environment itself not just the periphery
>
> Hi all,
>
> I am wondering what your view point is with respect to firewalls within a Storage Area Network (SAN) environment.
>
> I am a SAN novice and I am interested in getting to know this area further.
>
> The literature that I have found since yesterday does not seem to have major role for a firewall within the SAN environment itself. I see that some documentation places a firewall a the edge of the SAN. But what about firewalls between switches/routers etc within the SAN?
>
> As I understand it, SAN switches like those from Cisco (just reading documentation on Cisco 9000 series switches) provide IP/port filtering of packets and can create VLAN-like SAN's called VSAN's.
>
> The thing is, would it not also be wise to install firewalls either network-based or locally on end SAN systems to provide defense in depth and also provide greater filtering granularity if required?
>
>> From what I can see, at the switch level only basic filtering can be done.
>
> Has anyone any documentation or diagrams of a typical SAN architecture that also include (traditional non-switch based) firewalls?
>
> These switches maybe managed over telnet and ssh ports etc. And I presume a firewall in conjunction with a switch's own access controls would provide additional security in restricting who (administrator IP address) can communicate with the switch over such ports.
>
> Similarly, there maybe a requirement for DPI or stateful inspection of some packets/communications for whatever reason. A firewall such as Linux iptables (is what I am familiar with) can provide this level of fine-grained access control on behalf of the switches where the switches don't appear to have this level of granularity.
>
> I also notice, that the Cisco 9000 series switches only allow a maximum of 250 IP filter rules. I have not read up on other technologies yet, but this may or may not be the normal limit for filtering at a switch level.
>
> I also notice that the SAN switches seem capable of filtering/firewall at the layers 3 and 4 of the TCP/IP stack! I always presumed that switches operated at layer 2 (MAC addresses). So, this is interesting for me to have learnt.
>
> So basically, I want to discover what your opinions are with respect to the role of firewalls (be that packet filters, SPI and/or DPI) within the SAN network itself. [I presume IDS has a role also]
>
> [I know that it is considered best practice that firewalls be placed upfront in the traditional way: at the gateway/Internet, in between the DMZ and application servers network and in between the application server tier and the SAN at the back-end.
>
> many thanks,
> Brian.
>
>
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information..
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
-------------- next part --------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 3
Date: Tue, 19 Apr 2011 11:49:08 +0100
From: "Morley, Morven" <M.E.Morley@tees.ac.uk>
Subject: [fw-wiz] Cisco ASA5585
To: "'firewall-wizards@listserv.icsalabs.com'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<B79C34BC6E659C4DBB1E87A86D201AF57D99E3DB1B@ELLIECLUSTER.windows.tees.ac.uk>

Content-Type: text/plain; charset="us-ascii"

Hi all,
Does anyone have any experience of the Cisco ASA5585 appliances, specifically the IPS capabilities of the devices, how do they compare with a Tipping Point IPS device regarding ease of administration, false/positives, automatic updates of digital vaccines?


Regards
Morven


Mrs Morven Morley, Network Manager, ICT Systems
x2187

[cid:image001.gif@01CBFE87.CAC10AC0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110419/33bd23fc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 6695 bytes
Desc: image001.gif
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110419/33bd23fc/attachment.gif>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 4
***********************************************

No comments:

Post a Comment