Guidelines for Administrators

Perimeter defense, in the form of firewalls, is a useful tool to system administrators as part of an overall security strategy that includes system hardening, encryption and policy. Each of the various firewall designs considered and recommended by the Task Force is appropriate for certain circumstances. The designs Personal Firewall software, Host Cluster, Hidden VLAN and Secure Pen are fully described in the next "Technical Analysis" section.

An Individual Workstation

Personal Firewall

 

Single workstation firewall solutions most economically include Personal Firewall software applications or operating systems such as Mac OS X or Windows XP that include an embedded firewall product. See the Personal Firewall design.

 

These products usually function in one of two ways. They are either packet filters similar to firewall appliance products that permit or allow network traffic based on network address, port, connection status, etc. Or they may "lock-down" the system they are installed on, signing every application in order to detect in the future whether it has been tampered with, and determining what kind of network access every application is allowed to have.

 

Most personal firewall products attempt to make installation and configuration simple for end-users by having the application "learn" what network access is needed and providing the user the opportunity to permit or block every new type of network access. The attempts to make these products easy to use may result in configurations that are difficult to customize, e.g. permit a form of traffic from some hosts but not all. In addition, central management of many personal firewall configurations would likely be an administrative nightmare.

 

On the other hand, personal firewall products have the smallest, and therefore best, security perimeter of all the firewall designs considered. As the administration and management aspects of these products mature they will be come an increasingly valuable security tool.

An Individual Server

Personal Firewall or Host Cluster

 

A single server can also use a personal firewall product; they exist for many server OS platforms. See the Personal Firewall design.

 

Depending on the sensitive or critical nature of the server or its data, investment in a Host Cluster firewall may be warranted. In this case the cluster consists of an individual server. And while more expensive than a software product, there may be administrative or performance advantages to using a special purpose firewall appliance. See the Host Cluster design.

Small Group of Similar Systems Within an Office, Lab or Machine Room

Host Cluster or Hidden VLAN

 

A group of department servers within a machine room are ideally suited to a Host Cluster design. The Host Cluster design has a small security perimeter and protects a set of hosts within one room. Ideally the protected hosts have similar network and security profile. This results in a concise and secure firewall rule-set. In some cases multiple Host Cluster firewalls are appropriate. For example, a firewall cluster for a set of database servers with a restricted set of clients and another for more open web servers.

 

In the Host Cluster design, a single CNS supported network connection is used by the firewall. The firewall in turn connects to a switch or hub, not supported by CNS, which provides a small number of connections to the set of hosts protected by the firewall. Because this design is deployed within and supported by a department it is appropriate for the department's file sharing servers, i.e., Windows NT or Novell servers. But it may not be appropriate for a large number of high bandwidth systems as the firewall and its single network connection can be a bottleneck. (Redundant firewalls, with high bandwidth connections to the CNS supported network overcome these issues but at a significant cost.)

 

A Host Cluster design is not appropriate if the hosts are in different rooms or whose network connections must be provided from a CNS telecommunications closet. In this case the design choice is Hidden VLAN. This design uses VLANs and switch technology to segregate a department's connections into secure and public. See Hidden VLAN design. This approach is easy to install but relies on the integrity of the network switches, as such it may not be appropriate to protect critical servers and/or sensitive data. The Hidden VLAN design requires a switched Ethernet topology; it is not possible with the shared 10M/bs Ethernet which comprises much of the campus network.

Critical server(s)

Secure Pen

 

Some servers have data so sensitive or provide a service so critical that it may be appropriate to move the servers to the central Secure Pen. This is a service that will provide physical security, redundant network access, power and administrative management as necessary. This also has advantages to small departments that do not have in-house technical expertise. However, the service will be recharged to the department. The Secure Pen service will be designed to scale, to have redundant firewalls and sufficient network bandwidth to support the number of systems within it.

 

Because the server would be housed and managed outside the department this design is not appropriate for file sharing servers or any other server that requires frequent departmental control.

All Workstations and Servers within a Department

Personal, Hidden VLAN, Host Cluster AND Secure Pen

 

This situation encompasses a large to very large security perimeter. As such any one solution is unlikely to be a good one. Instead the scope of the problem should be broken down into components and multiple firewall designs employed. Servers should be protected with Host Cluster designs or moved to the Secure Pen. Individual workstations could be protected with Personal firewall software or each subnet could be converted to a Hidden VLAN design. The Hidden VLAN design requires a switched Ethernet topology; it is not possible with shared 10M/bs Ethernet networks. In addition, many Personal firewall installations could be administratively difficult.

 

A traditional design where the firewall sits topologically between the router and the rest of the subnet, called "Entire Subnet", was extensively discussed. The Task Force was unable to make any specific recommendations due to support and implementation issues inherent in this design.

Summary of Design Options


 

 

Personal

Host Cluster

Hidden VLAN

Secure Pen

One Workstation

X

 

 

 

Dept. Server(s)

X

X

X

 

Critical Server(s)

 

X

 

X

All workstations

 

 

X

 

Lab

 

X

X

 

Work Group

 

X

X

 

 

 

Table of Contents

Technical Analysis