Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Firewall Implimentation - Recomendations
Special Forums Cybersecurity Firewall Implimentation - Recomendations Post 302090093 by DraconianTimes on Friday 22nd of September 2006 10:55:14 AM
Old 09-22-2006
Quote:
Originally Posted by pathological
We use MS EXchange and Active Directory *Cries*. We have Norton 9 Pro on the exchange server which does active scans of workstations throughout the network as well as in coming e-mails ... Question... i am assuming that if OpenBSD 1 fails, signal is still coming from OpenBSD 2, which will allow the network to remain online. Obviously if Hardare firealla fails it all goes down, but nothing we can do about that at presant. And when you say switch 1 and 2 that is just generic names, since they are all on the 2 network right? No matter how we look at it, there is redundat signal coming in PAST the first hardware firewall point. (Looks good, nice and clean).
Windows/AD/Exchange does not have to be a security nightmare - provided you patch, configure and administer the boxes properly (and that advice goes for ALL systems). You would benefit from checking that you have a secure baseline build for your Win2k/2k3 boxes (maybe use the NSA SNAC hardening guides?) and a proper patching mechanism in place (e.g. SUS or SMS). Configuration change management and proper documentation should be order of the day across ALL corporate systems.

If you're sending/receiving mails to/from outside, you should be running an SMTP proxy in a firewalled DMZ - this allows you to trap mails and scan them for the nasties, before they reach your exchange server. Again, OpenBSD running Postfix, ClamAV and SpamAssasin would be well placed here. Same goes for your web traffic - setup Squid on another box in the DMZ and inspect all traffic - ban your prohibited file types there. Log mails/web traffic which violates policy and set the systems to mail your admin team.

The diagram I attached above was how I saw what you described. It isn't necessarily the best way to go. Personally, I would remove the "hardware firewall" and let the OpenBSD boxes be your firewalls/routers to the outside world, then configure some DMZs for the semi-public services such as web servers and mail/web proxies. If you're on dialup, attach a modem to each OpenBSD firewall yourself and let it handle the dialup needs during failover. If you have DSL/leased line, speak to your ISP and see if they can supply you with some sort of redundancy at that point (maybe even an ISDN backup for your fixed link) with an upgraded device. Also consider two separate ISPs to provide services, in case one goes belly up.

Nick
 

9 More Discussions You Might Find Interesting

1. Cybersecurity

What Firewall do you use?

Just out of curiosity, I see a lot of people here use Linux IPTables as their firewall. Anyone here use something else like OpenBSD PF or *BSD IPF, IPFW? I'm quite fond of OpenBSD and their Packet Filters. I find their syntax much easier to manage and from my personal experience, I find them... (5 Replies)
Discussion started by: tarballed
5 Replies

2. Cybersecurity

Looking Out from Behind a Firewall

Would it be possible to restrict access to internet pages in the following way? A machine: IP = 128.1.17.123 Only pages from domains of the type "go.jp" and "ne.jp" are viewable. All others are not viewable or only partly viewable. B machine: IP = 128.1.17.146 Regardless of the domain... (4 Replies)
Discussion started by: mntamago
4 Replies

3. UNIX for Dummies Questions & Answers

Firewall Box

I am a novice to linux and unix and command line, I am willing to jump in head first. I have a couple older computers, one is a dell XPS with a P2 Proccessor and th other is a old old sony VIAO. I have a small home network 3 computers...i have my DSL modem then thats connected to my wireless... (2 Replies)
Discussion started by: Tabryan07
2 Replies

4. Shell Programming and Scripting

crone job implimentation

I wanted to enable one shell script in the cronetab,how to do crone tabe enabling pl help me:( regards, ramesh (1 Reply)
Discussion started by: Ramesh Vellanki
1 Replies

5. Cybersecurity

help with firewall

hi everyone I am a newbee to firewall scripting. cannot understand how to write rules per host. in ip6tables. anyone plz:( (2 Replies)
Discussion started by: xecutioner
2 Replies

6. AIX

Firewall

:b:Hi,, How do configure firewall in aix.. similar to linux iptable. Rgards, k.sumathi. (3 Replies)
Discussion started by: sumathi.k
3 Replies

7. SuSE

Firewall

Is there a command line interface to the firewall? (4 Replies)
Discussion started by: jgt
4 Replies

8. Linux

Firewall?

Dear All I have put my windows machine behind my centos firewall server with just one NIC. At now, the windows machine can ping 192.9.9.3 but cannot resolve valid url (like www.google.com). I have set DNS for it as well. Can you please let me know what is the missing step? Thank you (6 Replies)
Discussion started by: hadimotamedi
6 Replies

9. Cybersecurity

Firewall

Hey Guys, I am looking for a good firewall software to implement in medium/large office, with at least 150 users. I was hopping you guys could help me on this one. Regards, (4 Replies)
Discussion started by: andrevicente
4 Replies

LEARN ABOUT OPENSOLARIS

ipfilter

ipfilter(5)						Standards, Environments, and Macros					       ipfilter(5)

NAME

       ipfilter - IP packet filtering software

DESCRIPTION

       IP  Filter is software that provides packet filtering capabilities on a Solaris system. On a properly setup system, it can be used to build
       a firewall.

       Solaris IP Filter is installed with the Solaris operating system. However, packet filtering is not enabled by default. See  ipf(1M)  for  a
       procedure to enable and activate the IP Filter feature.

HOST-BASED FIREWALL
       To  simplify  IP Filter configuration management, a firewall framework is created to allow users to configure IP Filter by expressing fire-
       wall policy at system and service level. Given the user-defined firewall policy, the framework generates  a  set  of  IP  Filter  rules	to
       enforce	the  desired  system  behavior. Users specify system and service firewall policies that allow or deny network traffic from certain
       hosts, subnets, and interface(s). The policies are translated into a set of active IPF rules to enforce the specified firewall policies.

       Note -

	 Users can still specify their own ipf rule file if they choose not to take advantage of the framework. See ipf(1M) and ipf(4).

   Model
       This section describes the host-based firewall framework. See svc.ipfd(1M) for details on how to configure firewall policies.

       A three-layer approach with different precedence levels helps the user achieve the desired behaviors.

       Global Default

	   Global Default - Default system-wide firewall policy. This policy is automatically inherited by all	services  unless  services  modify
	   their firewall policy.

       Network Services

	   Higher  precedence than Global Default. A service's policy allows/disallows traffic to its specific ports, regardless of Global Default
	   policy.

       Global Override

	   Another system-wide policy that takes precedence over the needs of specific services in Network Services layer.

	 Global Override
	       |
	       |
	 Network Services
	       |
	       |
	 Global Default

       A firewall policy includes a firewall mode and an optional set of network sources. Network sources are IP  addresses,  subnets,	and  local
       network interfaces, from all of which a system can receive incoming traffic. The basic set of firewall modes are:

       None

	   No firewall, allow all incoming traffic.

       Deny

	   Allow all incoming traffic but deny from specified source(s).

       Allow

	   Deny all incoming traffic but allow from specified source(s).

   Layers in Detail
       The  first  system-wide	layer,	Global	Default,  defines a firewall policy that applies to any incoming traffic, for example, allowing or
       blocking all traffic from an IP address. This makes it simple to have a policy that blocks all incoming traffic	or  all  incoming  traffic
       from unwanted source(s).

       The  Network  Services  layer  contains	firewall policies for local programs that provide service to remote clients, for example, telnetd,
       sshd, and httpd. Each of these programs, a network service, has its own firewall policy that controls access to its service.  Initially,  a
       service's  policy is set to inherit Global Default policy, a "Use Global Default" mode. This makes it simple to set a single policy, at the
       Global Default layer, that can be inherited by all services.

       When a service's policy is different from Global Default policy, the service's policy has higher precedence. If Global  Default	policy	is
       set  to	block all traffic from a subnet, the SSH service could be configured to allow access from certain hosts in that subnet. The set of
       all policies for all network services comprises the Network Service layer.

       The second system-wide layer, Global Override, has a firewall policy that also applies to any incoming network  traffic.  This  policy  has
       highest	precedence  and overrides policies in the other layers, specifically overriding the needs of network services. The example is when
       it is desirable to block known malicious source(s) regardless of services' policies.

   User Interaction
       This framework leverages IP Filter functionality and is active only when svc:/network/ipfilter is enabled and inactive when  network/ipfil-
       ter  is	disabled. Similarly, a network service's firewall policy is only active when that service is enabled and inactive when the service
       is disabled. A system with an active firewall has IP Filter rules for each running/enabled network service and system-wide policy(s)  whose
       firewall mode is not None.

       A  user configures a firewall by setting the system-wide policies and policy for each network service. See svc.ipfd(1M) on how to configure
       a firewall policy.

       The firewall framework composes of policy configuration and a mechanism to generate IP Filter rules from  the  policy  and  applying  those
       rules to get the desired IP Filter configuration. A quick summary of the design and user interaction:

	   o	  system-wide policy(s) are stored in network/ipfilter

	   o	  network services' policies are stored in each SMF service

	   o	  a user activates a firewall by enabling network/ipfilter (see ipf(1M))

	   o	  a user activates/deactivate a service's firewall by enabling/disabling that network service

	   o	  changes to system-wide or per-service firewall policy results in an update to the system's firewall rules

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+

SEE ALSO

       svcs(1), ipf(1M), ipnat(1M), svcadm(1M), svc.ipfd(1M), ipf(4), ipnat(4), attributes(5), smf(5)

       System Administration Guide: IP Services

NOTES

       The nfsd service is managed by the service management facility, smf(5), under the service identifier:

	 svc:/network/ipfilter:default

       Administrative  actions	on  this  service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The ser-
       vice's status can be queried using the svcs(1) command.

       IP Filter startup configuration files are stored in /etc/ipf.

SunOS 5.11							    18 Feb 2009 						       ipfilter(5)
All times are GMT -4. The time now is 11:14 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy