JD Runyan wrote:
gossamer axe wrote:
I had read an article a while back which claimed that inside of a
network (that's already firewalled) each machine should also be
firewalled.
<Stuff snipped>
I think the recommendation is for a larger environment. A simple example
is to have a DMZ for front end web servers, a Backend network for
databases and application servers, and a management LAN. The diagram
below shows how you would isolate traffic to the backend servers with
firewalls. The different firewalls would be implemented with least
privileged access requirements.
Here is a basic example that I start off with:
In most VLSI companies, you have 3 types of users:
1) Solaris/Linux/Unix users--these are generally design engineers
2) Specific application Windows users--these are generally lab folks
3) Non-specific application Windows users--generally business users
Generally, I try to make those 3 *physically separate* networks that may
not transfer data between themselves (with one exception, see below).
While many people swear by managed switches to separate the networks, I
swear by actually separate switches.
Type 1)
Sits on the fastest cable you get (normally GigE). Often talks directly
to a NetApp box for storage access. You secure them as best you can and
fortunately *none* of them should be running servers supporting the OS.
That being said, these machine often have idiotic root daemons
required by the tools (*cough* Cadence *cough*) which are security red
carpets for attackers. Basically, you need to keep people out of this
network who just don't belong there, but the fact that it is *NIX makes
things relatively robust.
Type 2)
Sits on normal cable. Normally talks to a Samba server (which is
multihomed and is the *only* thing which can talk to things on the
network for Type 1 users).
*Very* dangerous network; *very* hard to secure. Why? Because the
vendors of various tools dongles, etc. often are tied to a specific OS
release. Some machines may still be running NT 4 (no service packs)
because anything newer breaks the tool you have.
Normally, I try to disable web and email on this network. Sometimes you
can, most times the users squawk. They squawk less if you have a Type 3
network (see below). Large capacity USB keys have made me significantly
less receptive to configuring email and web on this network because you
can surf on your Type 3) machine, save the file to USB and scan it, and
then move the file.
The only real solution is to keep malicious stuff out. The only real
response to people who do manage to get to this nice creamy and chewy
network is reimaging the whole *network*. Yuck.
Type 3)
Sits on wireless. Thank the Deity for wireless. Everybody else hates
wireless for security; I love it. Why?
You can take your laptops and dump them here. You can *assume* that
your machines on this network are always under attack and configure
accordingly. You can place one of these machines right next to a Type
2) machine knowing that the Type 2) machine won't get infected because
somebody wanted to look at nude pictures. Your laptops are ready to go
into the field because they are already assumed to be under attack
and/or compromised. So, when your CEO plugs into a rogue wireless
network, his machine doesn't immediately get crushed from outside
(opening up Kournikova attachments, alas, requires Big Foam Cluebat
application to prevent).
Admittedly, this is a bit stronger than firewalling packets. However,
it means that a compromise on Type 3 does not automatically propagate to
other Type 3 machine or into the Type 2 network (where it has free
reign). The Type 1 network stays blissfully unaware of packet storms
which which may be the result of the latest Windows virus.
Normally, this is pretty easy to set up. Two switches in the telecom
room and the wireless hardware are all it takes. But you have to do
this up front. If you try to do this afterward, everybody whines "Why
can't I access *everything* ...".
IMO, 802.11 and USB keys are the *best* things to happen to security.
They don't open any new attacks (your employees can pick you off
anyhow), but they actually allow you to segregate things.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
