Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tear Down the Firewall

Posted by timothy on from the tripartate dept.

lousyd writes "'What's the best firewall for servers?' asked one Slashdot poster. 'Give up the firewall' answers Security Pipeline columnist Stuart Berman. Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls. "Taking that crutch away has forced us to rethink our security model," Berman says. The cost of the added servers is greatly minimized by making them virtual servers on the same machine, using Xen. With the new security-enhanced XenSE, this might become easier and more possible. What has you chained to your firewall?"

8 of 395 comments (clear)

  1. Nice logic, but by gcnaddict · · Score: 5, Insightful

    obviously, if you can rethink your security model AND keep up a well-maintained firewall, you will likely be better off :) How hard can it be to do BOTH, not one or the other?

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  2. Firewalls aren't totally expendable by cerberus4696 · · Score: 5, Interesting

    It's one thing to give up the firewall if all you have behind it is servers. It's quite another to give it up if you're protecting user workstations. While it's certainly possible to carefully arrange your external services such that they are secure, it's really only possible if you have absolute control over every single device behind the firewall.

  3. Re:Of course but by NeoThermic · · Score: 5, Informative

    And for windows:

    netstat -v -o -n -b -a

    (you can ommit -v for a quicker display)

    NeoThermic

    --
    Use my link above, or to view my server, NeoThermic.com
  4. He's only giving up the border firewall... by stefanlasiewski · · Score: 5, Informative

    It's a rather sensationalist headline. He's not really ditching his firewall, he's replacing the one border firewall with multiple firewalls in the internal network, and is keeping the production environment isolated from the non-production (Office & Development) networks.

    He removed the firewall between the Production Environment and the Internel, and is replacing it with several firewalls on the internal network. I count 4 firewalls-- One between the Webservers & Application server, a second firewall between the Application server and DB server, a third firewall between the production environment and non-production environments; and he discusses using ACLs to isolate subnets -- that's conceptually the same thing as a firewall.

    But that's not a very new concept, and even with his plan, it still seems like you'd be more secure if you have an external firewall on the added network.

    What's the harm in adding one more firewall and only allowing traffic on the HTTP port, HTTPS port and possibly VPN? It's cheap insurance just in case someone made a mistake and left some services running on one of the machines.

    --
    "Can of worms? The can is open... the worms are everywhere."
  5. I use a firewall to isolate networks by StupidKatz · · Score: 5, Interesting

    I'm running all kinds of crud on the intranet that I don't want exposed to the Internet, such as NetBIOS on Windows and some permissive SAMBA shares on assorted servers.

    So, the services are running so that I can use them from the inside (with any device on the inside, without mucking with ACLs, additional equipment aside from a switch, etc.) without having the services exposed to the outside.

    Now, if you're running services which aren't being used by legitimage users at all... ;)

  6. Summary by Zarhan · · Score: 5, Funny

    This article shows that the guy is now realizing that you also need network design besides only putting a firewall at the border and hoping it magically makes everything ok. He's quoting "innovative" networking desings, like

    - Segmenting your network to
    - Workstations
    - Internal servers
    - Internal databases etc (accessed by servers)
    - DMZ
    - Setting up stringent ACLs to only permit specific traffic between segments.

    C'mon, this is pretty much elementary stuff. Any network adming should know to design his network like this even in small companies where you have 2 workstations and a single server.

    Then he makes a claim that you don't need firewall because only things accessible to Internet (Workstations and stuff in DMZ, like your public website) are running secure OSs patched constantly. I guess they are running OpenBSD with default config then... ...except there are mentions of "Active Directory", so I guess not.

    Only real "innovation" comes at the end: The article states that they are running some sort of IDS/IDP system in their network, presumbaly monitoring for any wormlike packets. This is nothing too interesting, anybody can set up Snort and have it running at your switch's monitor port. Only thing is that if it is running only as a logger, it cannot really react fast enough if one of your boxes gets infected with the latest worm from the completely unsecured Internet connection.

    If it is running in some sort of transparent bridging mode, where it blocks those packets too on detection, it is pretty much like any...you guessed it...FIREWALL.

    He DOES have a point on the fact that numerous applications require intelligent firewalls, the most basic case of course being active FTP. However, almost any commercial firewall (and Linux kernel iptables) supports numerous protocols. Most recent additions are SIP. P2P protocols are prominently missing so far, but I'm guessing that at least Bittorrent will be added soon (at least to Cisco IOS/PIX and Checkpoint).

    Still, I wouldn't give too much credit for this article until he provides us with a detailed network diagram and more specifically states what are the exact benefits.

  7. Weve been tricked... by j_kenpo · · Score: 5, Funny


    "Your not Stuart Berman, your really social engineering expert Kevin Mitnick, and you almost tricked everyone into taking down their firewalls".

    "And I would have gotten away with it if it wasn't for you nosey Slashdotters!"

  8. Does SANE support the Scanmaker 4850 yet? by tepples · · Score: 5, Insightful

    And if you have processes running and listening on ports that you don't want or need, why are you running them?

    Because the operating system that you run is incapable of turning them off, and no other operating system is compatible with a mission-critical application or hardware device?