[j-nsp] Firewall best practices

Tim Hogard thogard at abnormal.com
Tue Jun 12 01:41:47 EDT 2012


> 
> Hi everyone,
> 
> I have a question regarding managing policies among multiple sets of
> firewalls. I don't know what industry standard / best practice is for
> managing rules among multiple devices.
There isn't one.  Take the Trust/DMZ/Untrust which is documented
as "best practice" but wasn't 15 years ago.

Modern firewalls are great for keeping the bad guys from brut forcing
your network but so will a cheap router.  Most network intrustions
that I've seen are from the inside to other things on the inside.

All your external IP addresses are already fingerprinted.  A speaker
at last year's Ruxcon was giving a talk in Switzerland and accidentally
also fingerprinted all of Belgium as well.  His records for a
university shows the history where you can go back and say "This
was a windows box with a poor history of patching yet its now locked
down but that one port is still open so there is a chance its not
patched"  and he has sql tools to ask what machines might be
susceptible to the last exploit.  If he has those kinds of tools,
you know the bad guys do too.

I run one interface per host and put it in its own zone.  My inbound 
interfaces are from zone "Internet" (not untrusted) as are other sources of garbage like a public wifi net is also in zone "Internet".

My web servers are all in their own zones based on function and my
dns has its own zone as well.

The only swtich bank I use is now in a zone called "lan" where the
workstations are.  The rules indicate they are slightly more
trutworthy than the internet :-)

While this tends to cause the number of rules to blow out like crazy
it is easier to manage over 3 sites.

If I could find an ssg 140 cheap, I would be tempted to put all my
troublesome users on their own port too.

What I don't like is VPN connections tend to have lame levels of
trust that the far end is secure.  I have not found a good solution
to that which makes me happy.

To make this all even more entertaining, my Jr Net Admin went to
the boss last week with the great idea of moving all the servers
into a DMZ to reduce the number of zones on the firewall.

-tim
http://web.abnormal.com





> 
> Currently our office has an srx cluster, site A has an edge srx cluster and
> core srx cluster, and site B has an edge srx cluster and core srx cluster.
> The edge srx clusters generally interface with border routers or providers
> directly, IPSEC, DMZ and any outbound 3rd party web filter redirects etc.
> The core srx clusters handle firewalling between our different
> environments. Separating search engines, databases, web servers, etc etc.
> 
> I don't know what the best way to manage the firewall rules is between
> these sites. I don't think its sustainable to write the same rule on site A
> core, site A edge, site B edge, site B core. And then managing the address
> book entries on every device also becomes a hassle, making sure its
> all synchronized etc. Is there a better method of doing this?
> 
> I don't even want to think about what happens if I want traffic from the
> office to route through site A in order to reach site B in the event of a
> VPN issue between the office and site B directly.
> 
> Is there a good method for keeping these things managed, like only having
> the edge firewall for site A manage incoming connections, and let the other
> sites edge firewall deal with site A's outgoing connections, etc?
> 
> I'm a mess. If we add two more sites my head might explode.
> 
> Morgan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list