firewalls and fate zones: operational impact
Post on 31-Dec-2015
15 Views
Preview:
DESCRIPTION
TRANSCRIPT
firewalls and fate zones: operational impact
Terry Gray
University of Washington S@LS workshop, Chicago
12 August 2003
firewall types
• conventional
• integrated
• logical
• end-point
perimeters
• physical topology:– enterprise– multi-subnet– subnet– sub-subnet– endpoint
• logical topology: – VLANs w/firewalls between– logical firewalls– IPSEC trust relationships
issues
• relation of NetOps and SecOps
• central vs. decentralized control
• stateful vs. not-stateful blocking
• firewalling policy by– device MAC – device IP– user identity
• policy definition, impacted users, enforcement point
perimeter protection paradoxes• value vs. effectiveness• small is beautiful, but costly
– end-point is best, but hardest to do
• border vs. subnet firewalls--departments: both share and span subnets!– border: biggest vulnerability zone– border: easier to debug intra-campus problems– border: simpler rules?
• lowest common denominator policy• avoid cross-subnet holes for bad protocols• still need per-address holes
incident response
• enet port disabling
• TCP/UDP port blocking
• IP blocking
• NAT traceability
• blocking hi-numbered ports without stateful firewalls
discussion
top related