firewalls and fate zones: operational impact
DESCRIPTION
firewalls and fate zones: operational impact. Terry Gray University of Washington S@LS workshop, Chicago 12 August 2003. firewall types. conventional integrated logical end-point. perimeters. physical topology: enterprise multi-subnet subnet sub-subnet endpoint logical topology: - PowerPoint PPT PresentationTRANSCRIPT
firewalls and fate zones: operational impact
Terry Gray
University of Washington S@LS workshop, Chicago
12 August 2003
firewall types
• conventional
• integrated
• logical
• end-point
perimeters
• physical topology:– enterprise– multi-subnet– subnet– sub-subnet– endpoint
• logical topology: – VLANs w/firewalls between– logical firewalls– IPSEC trust relationships
issues
• relation of NetOps and SecOps
• central vs. decentralized control
• stateful vs. not-stateful blocking
• firewalling policy by– device MAC – device IP– user identity
• policy definition, impacted users, enforcement point
perimeter protection paradoxes• value vs. effectiveness• small is beautiful, but costly
– end-point is best, but hardest to do
• border vs. subnet firewalls--departments: both share and span subnets!– border: biggest vulnerability zone– border: easier to debug intra-campus problems– border: simpler rules?
• lowest common denominator policy• avoid cross-subnet holes for bad protocols• still need per-address holes
incident response
• enet port disabling
• TCP/UDP port blocking
• IP blocking
• NAT traceability
• blocking hi-numbered ports without stateful firewalls
discussion