Prev: How to enter a character by entering the number code? E.g ALT 123
Next: Linux friendly Laptops and Netbooks??
From: Rahul on 13 Jan 2010 11:00
Jeremy Nicoll - news posts <jn.nntp.scrap004(a)wingsandbeaks.org.uk> wrote
in news:gemini.kw6uqm000jyrf02n4(a)wingsandbeaks.org.uk.invalid:

> Some of this argument is going to depend on physical security. If the
> 100 machines are in a locked room with no chance of anyone installing
> anything on them, or changing their configurations, it's a different
> ballgame from having the machines open-access.
>
> If they're open-access I'd trust no machine.
>
>


Thanks!

Any realistic scenario seems intermediate to the two "very secure" and
"open" situations you describe. The firewall seems one of many options to
enforce a trust system. I guess most machines are not "open access" but
there is a finite, small list of domains that you want access to but on
certin ports.

Let me rephrase my Question: "Does it make more sense to enforce this trust
via a centralized firewall mechanism or on a machine by machine level?"
What are the pros and cons?

--
Rahul
From: The Natural Philosopher on 13 Jan 2010 12:39
Rahul wrote:
> Jeremy Nicoll - news posts <jn.nntp.scrap004(a)wingsandbeaks.org.uk> wrote
> in news:gemini.kw6uqm000jyrf02n4(a)wingsandbeaks.org.uk.invalid:
>
>> Some of this argument is going to depend on physical security. If the
>> 100 machines are in a locked room with no chance of anyone installing
>> anything on them, or changing their configurations, it's a different
>> ballgame from having the machines open-access.
>>
>> If they're open-access I'd trust no machine.
>>
>>
>
>
> Thanks!
>
> Any realistic scenario seems intermediate to the two "very secure" and
> "open" situations you describe. The firewall seems one of many options to
> enforce a trust system. I guess most machines are not "open access" but
> there is a finite, small list of domains that you want access to but on
> certin ports.
>
> Let me rephrase my Question: "Does it make more sense to enforce this trust
> via a centralized firewall mechanism or on a machine by machine level?"
> What are the pros and cons?
>
both effectively. each machine has its own set of privelieges, but
implement it by using a central firewall.

unless of course its full of smart nerds, who will simply set up a proxy...
From: Stan Bischof on 13 Jan 2010 13:15
Rahul <nospam(a)nospam.invalid> wrote:
> Jeremy Nicoll - news posts <jn.nntp.scrap004(a)wingsandbeaks.org.uk> wrote
>
> Let me rephrase my Question: "Does it make more sense to enforce this trust
> via a centralized firewall mechanism or on a machine by machine level?"
> What are the pros and cons?
>

best is tiered approach: start with real hardware firewall
applicance for the entire network. This guy needs to be
single-function, reliable, as close as possible to non-hackable.
hence an appliance rather than a cheapo PC running a general
purpose OS. This is the first level and needs to have
proper physical security. Redundant hardware is best if you
can't tolerate outages.

Add common firewall on the clients as a second level.

Stan
From: Jeremy Nicoll - news posts on 13 Jan 2010 13:38
Rahul <nospam(a)nospam.invalid> wrote:

> Any realistic scenario seems intermediate to the two "very secure" and
> "open" situations you describe. The firewall seems one of many options to
> enforce a trust system. I guess most machines are not "open access" but
> there is a finite, small list of domains that you want access to but on
> certin ports.

How are you going to stop someone plugging a wireless dongle into one of the
machines, or replugging its LAN cable or interfering at a patch panel, if
stuff isn't locked up?

> Let me rephrase my Question: "Does it make more sense to enforce this
> trust via a centralized firewall mechanism or on a machine by machine
> level?" What are the pros and cons?

Centralised firewall sounds good to me, provided it is IMPOSSIBLE for anyone
to get internet access without going through the firewall.

If it's not impossible, firewalls on each machine are not going to help much
unless you can guarantee they can't be bypassed.




I used to work in a bank's computer centre. Data security was a big issue.

It's instructive to consider the approach. In most cases programs that
could do dangerous things were not restricted access from a security point
of view (though they were restricted just to prevent naive users from
accidentally doing damage to data they already had access to).

Instead, access to data was highly controlled. It didn't matter what
program someone tried to use to read or write a file, the file was
protected.

If you tried to use, say, a disk sector editor to alter the tracks which
held a file's data, the sector editor allowed or disallowed that based on
what file occupied the tracks. So you use use a sector editor on your own
data but not system or financial data.


So, I think you need to decide precisely what you're trying to protect and
why. Then you need to find a method that does it. For example, there's
(perhaps) no need to firewall a machine if you don't care what the machine
is used for. Maybe you can arrange to wipe and reload such machines' disks
every night. Maybe you can put glue into their NICs. Maybe the machines
can be in a faraday cage so no wireless internet access is possible...


--
Jeremy C B Nicoll - my opinions are my own.

Email sent to my from-address will be deleted. Instead, please reply
to newsreplynnn(a)wingsandbeaks.org.uk replacing "nnn" by "284".
From: Sylvain Robitaille on 14 Jan 2010 12:42
Rahul wrote:

> ... "Does it make more sense to enforce this trust via a centralized
> firewall mechanism or on a machine by machine level?" What are the
> pros and cons?

There is no single answer to this question. The variables to consider
are generally site-specific, but as someone already suggested they can
be condensed to "what are you protecting, from what threats, and why?"

What approach is best to accomplish that protection largely depends on
the answer to the above. One size does not fit all.

Traffic filtering policies on each machine can have a finer granularity
than what's on a central firewall (which will filter at best, only
the traffic that passes through it). On the other hand, managing such
protection from a central firewall scales better for protecting larger
numbers of systems.

Depending on the site's policies and resources, these considerations
need to be factored in with the above, to come up with pros and cons of
each approach and what makes most sense.

As others have suggested, in the most generic sense, what is likely to
work best for most sites will be a combination of a central firewall
for managing traffic that passes from the site to the public network
(and in the other direction), with per-system "personal" firewalls
to filter traffic that stays within the local network. Ideally the
per-system filters can be made to be identical and managed centrally,
but again, whether that's even possible, or how best to accomplish it
is site-specific.

--
----------------------------------------------------------------------
Sylvain Robitaille syl(a)encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: How to enter a character by entering the number code? E.g ALT 123
Next: Linux friendly Laptops and Netbooks??