firewalls and fate zones: operational impact

Terry Gray

University of Washington S@LS workshop, Chicago

12 August 2003

firewall types

• conventional

• integrated

• logical

• end-point

perimeters

• physical topology:– enterprise– multi-subnet– subnet– sub-subnet– endpoint

• logical topology: – VLANs w/firewalls between– logical firewalls– IPSEC trust relationships

issues

• relation of NetOps and SecOps

• central vs. decentralized control

• stateful vs. not-stateful blocking

• firewalling policy by– device MAC – device IP– user identity

• policy definition, impacted users, enforcement point

perimeter protection paradoxes• value vs. effectiveness• small is beautiful, but costly

– end-point is best, but hardest to do

• border vs. subnet firewalls--departments: both share and span subnets!– border: biggest vulnerability zone– border: easier to debug intra-campus problems– border: simpler rules?

• lowest common denominator policy• avoid cross-subnet holes for bad protocols• still need per-address holes

incident response

• enet port disabling

• TCP/UDP port blocking

• IP blocking

• NAT traceability

• blocking hi-numbered ports without stateful firewalls

discussion