Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

reserve a seat
back to overview

Replacing a Central Firewall

During one of my ExpertExpress engagements I got an interesting question: “could we replace a pair of central firewalls with iptables on the Linux server?

Short answer: Maybe (depending on your security policy), but I’d still love to see some baseline scrubbing before the traffic hits the server – after all, if someone pwns your server, he’ll quickly turn off iptables.

During the engagement we continued to discuss various tools we could use, from packet filters to reflexive access lists and full-blown stateful solutions, both in physical and virtual form, and ended up with a design that combined stateful filters on the servers with stateless packet filters in WAN edge devices and hypervisors.

A new ExpertExpress case study published on ipSpace.net summarizes these options and describes several high-level designs you could use depending on how secure you want your infrastructure to be.

1 comment:

  1. I would think this would be a nightmare to scale. Scripting and automated auditing would be a must in most shops. Why not go with virtual firewalls and just move them closer to the server?

    I do agree though that iptables should be used to some extent.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Sidebar