Download - firewalls and fate zones: operational impact
![Page 1: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/1.jpg)
firewalls and fate zones: operational impact
Terry Gray
University of Washington S@LS workshop, Chicago
12 August 2003
![Page 2: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/2.jpg)
firewall types
• conventional
• integrated
• logical
• end-point
![Page 3: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/3.jpg)
perimeters
• physical topology:– enterprise– multi-subnet– subnet– sub-subnet– endpoint
• logical topology: – VLANs w/firewalls between– logical firewalls– IPSEC trust relationships
![Page 4: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/4.jpg)
issues
• relation of NetOps and SecOps
• central vs. decentralized control
• stateful vs. not-stateful blocking
• firewalling policy by– device MAC – device IP– user identity
• policy definition, impacted users, enforcement point
![Page 5: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/5.jpg)
perimeter protection paradoxes• value vs. effectiveness• small is beautiful, but costly
– end-point is best, but hardest to do
• border vs. subnet firewalls--departments: both share and span subnets!– border: biggest vulnerability zone– border: easier to debug intra-campus problems– border: simpler rules?
• lowest common denominator policy• avoid cross-subnet holes for bad protocols• still need per-address holes
![Page 6: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/6.jpg)
incident response
• enet port disabling
• TCP/UDP port blocking
• IP blocking
• NAT traceability
• blocking hi-numbered ports without stateful firewalls
![Page 7: firewalls and fate zones: operational impact](https://reader035.vdocument.in/reader035/viewer/2022071807/56812eb8550346895d945a70/html5/thumbnails/7.jpg)
discussion