Replacing the Central Firewall

ACME Inc. has a data center hosting several large-scale web applications. Their existing data center design uses traditional enterprise approach:

  • Data center is segmented into several security zones (web servers, application servers, database servers, supporting infrastructure);
  • Servers belonging to different applications reside within the same security zone, increasing the risk of lateral movements in case of web- or application server breach;
  • Large layer-2 segments are connecting all servers in the same security zone, further increasing the risk of cross-protocol attack[1];
  • All inter-zone traffic is controlled by a pair of central firewalls, which are becoming exceedingly impossible to manage;
  • The central firewalls are also becoming a chokepoint, severely limiting the growth of ACME’s application infrastructure.

The networking engineers designing next-generation data center for ACME would like to replace the central firewalls with iptables deployed on application servers, but are reluctant to do so due to potential security implications.

The document describes a summary of design challenges sent by readers of ipSpace.net blog and discussed in numerous ExpertExpress engagements. It’s based on real-life queries and network designs but does not represent an actual customer network. Complete document is available as downloadable PDF to ipSpace.net subscribers. You can also buy a digital book with all ExpertExpress case studies

 

From Packet Filters to Stateful Firewalls

The ACME engineers have to find the optimal mix of traffic filtering solutions that will:

  • Satisfy the business-level security requirements of ACME Inc., including potential legal, regulatory and compliance requirements;
  • Be easy to scale as the application traffic continues to grow;
  • Not require large-scale upgrades when the application traffic reaches a certain limit (which is the case with existing firewalls).

Effectively, they’re looking for a scale-out solution, which will ensure approximately linear growth, with minimum amount of state to reduce the complexity and processing requirements.

While designing the overall application security architecture, they could use the following tools:

  • Packet filters;
  • Packet filters with automatic reverse rules;
  • Reflexive access lists;
  • Transport layer session inspection
  • Application level gateways
  • Web application firewalls.

The case study describes the roles of these tools in a scale-out network security architecture, and lists various design options, from WAN edge packet filters with VM NIC firewalls to layered stateful defense.

Notes

  1. Compromised security zone = Game Over
    http://blog.ipspace.net/2013/04/compromised-security-zone-game-over-or.html

Get the complete document

Complete case study, including design and deployment guidelines and sample configuration snippets is available to ipSpace.net subscribers. Select the Case studies tab after logging into the webinar management system.

You can also buy a digital book with all ExpertExpress case studies.