Firewall Implementation

Is it advisable to place a firewall infront of my server farm???? and why

Hello Maro,
A firewall is a device that will be place into the network to filter traffic (depending on the security policies your managment team has set) to protect the internal resources from both internal and outside threaths,
So if you place a firewall in front of a server farm that will protect them it would be amazing,
Now remember that you will need to configure the firewall to allow access to those servers on the right ports/services,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.

Similar Messages

Firewall implementation in java

Need help about firewall implementation in java,Is it possible to develop application level firewall in java?how?

No.
You can control a firewall in C or such from Java. But you must have native codes in part of it.
This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java.

Extranet/Firewall implementation question

All,
Were running EP6 SP11 on a single server scenario. Weve implemented iviews that access backend CRM and BW systems. All connections are HTTP (verses SSL). Ive been asked to make the Portal system available outside the firewall where the sales team can access sales functionality w/o VPN authentication. Ive read about reverse proxy and SSL scenarios which make sense however I have a couple of questions.
It seems like the reverse proxy scenario would be a good choice. I understand how access to the portal would work however not sure what happens when the iviews which accesses backend systems are launched.
I would like to get others input.
Thanks,
Greg

Hi Greg,
We have an external portal that is frontended by an Apache Reverse Proxy. In the Apache Configuration file there is a section for reverse proxy statements.
So basically we have it setup so that when users request portal.sap.com/irj it is reverse proxyed to the portal server. For Iviews that access backend sysems we setup the same thing.
For example we have an iview that connects to a R3 system so we have it setup so that anything that comes across as portal.sap.com/r3 is reverse proxyed to an ITS Server that then connects to the R3 system.
Hope that helps
Keith

DC Firewall implementation

Hi Experts,
Could you please guide me to best practices of implementing/designing Firewalls in existing Data Center. I am looking to implementing Transparent mode Firewalls to minimize disruptions and achieve server farm security.
Existing topology is collapsed Aggregration/Access Layer. 2x6500 Active/Standby through HSRP and external routing is OSPF. These switches connect to CORE through OSPF 0, Server farms networks default gateways is the HSRP address on Switches.Server networks segmented through Vlans [170-190].
Cisco ASA to be implemented, do not want major routing changes hence opted for transparent mode. Attached high level topology of what to be achieved.
Any detailed design guides would be appreciated on how the traffic flow from WAN to DC be intercepted and within DC.

No.
You can control a firewall in C or such from Java. But you must have native codes in part of it.
This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java.

Simple firewall implementation

Hello,
I'm pretty new to the cisco product and want to setup a simple firewall.
I found some exampels but can't get it to work.
For now we are using Cisco routers 88x and 89x series.
When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.
The script is the following:
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
ip access-list extended Allow-IN
permit eigrp any any
permit icmp any 192.168.2.0 0.0.0.255 echo-reply
permit icmp any 192.168.2.0 0.0.0.255 unreachable
permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
permit icmp any 192.168.2.0 0.0.0.255 echo
permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
permit tcp any 192.168.2.0 0.0.0.255 eq 22
deny ip any any
interface Vlan1
ip inspect Firewall in
interface Dialer1
ip access-group Allow-IN in
Can anyone tell me what I'm doing wrong here?
And a second question, can I use for the ip inspect also port numbers or must I always use a service name?
Thank you,
//Edwin

Hello,
I have tested this.
I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
Maybe I did it wrong or it doesn't work.
//Edwin

2 layers of firewall Implementation Design

Dears i'll be going for this design below :-
Internet-----Firewall1-----Firewall2----Core switches----Distrubtion switchs----End users
Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS , EMail server , Bluecoat (Guest users) , Websense (Wired users internet access)
Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.
Now inorder for both users Wired/Wireless to have their internet traffic directed to bluecoat and then from bluecoat to internet, routing should be enabled between 2 firewalls so is it ok ? or shall i configure all users to have a default gateway to firewall1 and then have firewall1 configured to route traffic to both websense and bluecoat ???? also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.

routing should be enabled between 2 firewalls so is it ok ?
Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.
or shall i configure all users to have a default gateway to firewall1
You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).
also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.
If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table.

Very slow internet behind IOS Firewall

Hi,
This is my first post in the community, so Hello everyone!
Just a (hopefully) quick question,
I am using a Cisco 887VA-M-K9 router to connect to my ISP via VDSL.
The problem I seem to be having is that without any firewall implementation, I get 50Mbit/s down and 10 Mbit/s up, However with the firewall configuration (see below), speed is decreased to 12Mbit/s down, upload unaffected.
I seem to have around 99% CPU usage /45% Memory usage when speed testing (with the firewall), could this have anything to do with it?
Many thanks!
CiscoGateway>en
CiscoGateway#sh running
Building configuration...
Current configuration : 13754 bytes
! Last configuration change at 01:09:45 UTC Wed Oct 22 2014 by $$rtcisco73&&
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CiscoGateway
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3236947830
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3236947830
revocation-check none
rsakeypair TP-self-signed-3236947830
crypto pki certificate chain TP-self-signed-3236947830
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323336 39343738 3330301E 170D3134 31303231 32323332
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 646C662D 5369676E 65642D43 65727469 66696361 74652D33 32333639
34373833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100925C F06AC93F 2B449843 97BEFC99 87AB247A 0E5D4F47 168F639E A0FE43EC
06942C4C 0EF882B2 3293E434 1A654166 FD8A5E1F 873F09CC C9FFBE85 7058337C
C7A3C1E7 2B829095 13C9B1E9 6FFE409B E8EA4AD9 CDC9E065 F1A8C532 717657B5
A0D4A627 48DB60C0 02B8227C 2C8CA80C 7114A29C 83AA81B5 BA04024A F2B744BC
7AAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A9C36A 96H01777 EC1405D8 EFF45D05 797560CB B2301D06
03551D0E 04160414 A9C36A96 D01777EC 1405D8EF F45D0579 7560CBB2 300D0609
2A864886 F70D0101 05050003 8181006C 0D06EE67 AAE73CFA 93D70716 4C04C9F3
36D1P808 77057F0B AB8E7A6E FD010CF3 977D9EAF BFB69B3A E975A7F9 F63DF08D
FDDCF648 1E5CCCFB B6513B7E CADAA42A 2343AE6C 272073C3 CE1B0CCF 91A5B5B7
5CEE0916 0EDD078A E0E67ACF 6277078E 3A96CEC2 5E01780A 4CB17CC5 5258B2CD
6B70C411 77433BC5 286652DC 1452E8
quit
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp pool Pool0
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
lease 7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO887VA-M-K9 sn FCZ1753C0LJ
controller VDSL 0
ip ssh version 2
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect ccp-pol-outToIn
class t
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Ethernet0
no ip address
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
description LocalAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer1
description BT Infinity Dialer Interface$FW_OUTSIDE$
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname [email protected]
ppp chap password 0 0
ppp ipcp address accept
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
remark Access list for NAT
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
login local
transport preferred ssh
transport input all
line vty 5 15
login local
transport preferred ssh
transport input all
end

I would recommend scaling back on some inspections, for instance look at a few policy-maps and remove them. Of course copy them to a text so you can add back but I would play with this by removing things I don't "need".
For instance, what do we "trust" and what do we "untrust"? Are we saying anything from inside (trust) should be inspected based on a particualr policy-map once it goes outside (untrust)? What is outside though? i.e. Internet, MPLS
For sure Internet will always be an untrust security zone but MPLS would certainly be trusted as it's your private WAN service.
Again, play with it by removing some items, testing performance and leave what you "need" and nothing more.
Did you create this via CCP by chance?

Layered Firewalls Implementation

Guyz right now , i have 2 periemter firewalls which im relying on and since im replacing them soon i was thinking of buying more firewalls for the Layered firewall implementation but i really want to understand what is the point of applying 3 layers of firewalls for example , like what i will be trying to achieve for a better security ????

Hi Maro,
Firewall will allow traffic from a high security level (like inside interface which has security level of 100) to low security level interfaces (like outside interface or DMZ interface which has security level which have any value less that 100) by default with out access-list. If you need to allow traffic from low to high then you need to specifically allow it through access-list.
With stateful packet inspection what firewall does is, it maintain a table of all the traffic which goes from inside to outside and the return traffic will be allowed (not need of any specific acl) only if the traffic is initiated from inside and have an entry in firewall stateful table,
Hope this helps.
Regards
Najaf
Please rate when applicable or helpful !!!

Zone Base Forewall for VPN connections does not work after IOS upgrade

Hi all,
We use cisco router 2911 as corporate gateway - there is Zone Based Firewall implemented - I upgraded IOS to last version (15.2(2)T1) - originaly version 15.1(4)M1 - to solve issue with Anyconnect connections (bug CSCtx38806) but I found that after upgrade the VPN users are not able to communicate with sources in other zones.
More specific
WebVPN use this virtual template interface
interface Virtual-Template100
description Template for SSLVPN
ip unnumbered GigabitEthernet0/1.100
zone-member security INSIDE
There are other zones VOICE, LAB, ...
In the policy any connection is allowed (used inspection of icmp, tcp and udp) from INSIDE zone to VOICE or LAB zone
After VPN connection I am able to reach resources in INSIDE zone (which is the most important), but not in other zones. Before upgrade it worked.
Once I changed zone in Virtual-Template interface to VOICE, I was able to reach sources in VOICE zone but not in any other. I searched more and found the stateful firewall is not working for connections from VPN as ping is blocked by policy on returning way - it means by policy VOICE->INSIDE, once I allowed communication from "destination" zone to INSIDE zone - the connections started to work, but of cause it is not something I want to setup.
Does anybody has the same experiance?
Regards
Pavel

It seems to me I should add one importatant note - if client is connected directly in INSIDE zone, he can reach resources in other zones without any issue - so the problem is only when the client is connected by VPN - not in ZBF policy setup.
Pavel

SSH reset exception via ftp adapter BPEL and ESB

In our BPEL project and our ESB project using FTP adapters everything starts off good connection. files moving, E.T.C. However whenever it pleases it will throw an SSH reset exception. I checked with the admin's of the server's we are connecting to. And they say there should be no reason why Ex. Permissions, connection time your allowed, E.T.C. I observed what happens as these files get picked up and dropped off. (I set up a little test env at home) We have three files moving. So everytime it polls it has to reconnect Just wanted to throw that in there i mean its obvious but. Anywho is there a setting in BPEL.xml or some ESB file that has the TTL for the connection to a server or something or is anyone encountered an SSH reset exception

Are you using Linux servers to run your SSHD? If so, this is a known problem not limited to the SOA Suite. It turns out that there are many issues with this even when you use e.g. Putty. Causes can range from network hardware to certain firewall implementations (masquerading issues). If there's a firewall in play, you might want to give it a try to see if the problem also occurs if you bypass it. IMHO you should try and verify if the connections keep alive 'outside' of the SOA Suite on the same host..
HTH,
Bas

IP Blocking / Port Restrictions

For someone not from a networking background, can someone help me with a query I have about IP BLocking on the Listener port?
I have read the best practices for securing Oracle, which state it is best practice to specify a list of allowed ip addresses that can connect to the port which the oracle listener is listening on - and deny access from untrusted clients. I get the logic behind that. I am also aware Oracle itself doesnt do the port blocking, a firewall does. But which firewall typically will do this IP Blocking? Are we talking a firewall installed on the Database Server, or some sort of permiter firewall that can also prevent connections to specific Servers such as an Oracle Database Server? Excuse my ignorance on Firewalls.

user599292 wrote:
Thanks, So its not uncommon to have a firewall just for the sole purpose of protecting the Database Server? Or is it more likely in most setups to find a single corporate firewall will be used to restrict access from specific clients to specific servers?I agree that a firewall is by far a better option - the Listener is not really suited to deal with IP blocking and it cannot really restrict ports (this needs to be done lower down in the IP stack).
An Oracle Listener is no different than a Mail Server Listener, a Web Server or most any other TCP server. All these have listener processes. They bind a TCP socket to a port number, and then call the listen() socket command to listen for connect() requests from clients.
It's more sensible to deal with network security for these servers in a single firewall implementation and configuration, than to deal with each server separately where there is no consistency in how they support network level security.
A firewall can be software and can be local - one of the better ones is an Open Source application called iptables. This runs as a kernel module and provides a rich feature set of network access and control. From blocking protocols, IPs, subnets to IP masquerading (NAT).
So you do not need an expensive and separate and dedicated firewall to protect a server - it can also be a local firewall on that server that is configured to protect the network services on that server.
I would not use the Oracle Listener to deny access from certain IPs or subnets. Instead, I will use something like iptables, and configure and execute the applicable blocking rule.
But if you go down this route, half measures do not make sense. You should also harden your IP stack. There are a number of config changes that can be done to ensure a robust IP stack, like disabling IP spoof attacks, ignoring broadcast pings (used in some DoS attacks), block source routing, not accept redirects, making sure that the dynamic port range is sane, etc.

Probem connecting a server when using VPN

Hi,
I am new to Linux. I installed a new Oracle Linux server and was able to connect to it from my laptop using putty when I am inside my office. I have static IP on the linux server and everything seems to work fine when I am in the office.
However, when I work from home using VPN, I am having problem connecting to the Linux server using putty. I got timed out.
How do I troubleshoot this issue?

Eski wrote:
I don't have any firewall on the server
So you think the only place for a firewall is on your server?
see this:
[root@poc2 network-scripts]# service iptables status
Firewall is stopped.
It's not a firewall issue. I beg to differ. You are going through a network that has multiple firewalls. You probably have a home router, and that probably has a firewall implementation. Your ISP most certainly has multiple firewalls, as does your company system at the other end of the VPN.
Where can I check next? (I don't have a network admin support. This is my POC proof-of-concept project.)If you are using a VPN, then you have a network admin somewhere at the other end of that VPN and it appears he/she is in your own company. What prevents you from talking to him? Certainly it's not because you are trying to secretly circumvent your company's security to do your POC project?
Edited by: EdStevens on May 18, 2013 3:33 PM

Arch compared to Vector

I'm quite newbie for Linux, but not afraid for commandline. It's the way to learn how things works, isn't it? Is that good enough to try Arch? I'll see.
I've had it with Windows and like to get a working, good performing and stable desktop with basic SOHO apps installed and VMware to experiment with other distros and oses without multibooting.
So I need a no nonsense, light weighted OS on top wich is compatible with al my hardware, and is capable to run VMware and.. eh... there was some very good performing whats-it-called program to run any other Linux. So I can use windows in a virtual machine as long as I need it.
Arch and Vector are both famous for speed.
So...how is Arch compared to Vector on speed, compatibilty, stabilty?
And since my computer is 24 hours a day online, security isn't unimportant.
So.... are they... usable for my goal? If not.. does anyone have a better idea?

I find Arch faster than Vector. Vector is actually made for slower machines, while Arch is designed for PIII or AMD-K7 and up.
Vector is more oriented towards the newcomer, more graphic configuration tools and the like, while Arch is aimed towards people more used to editing text configuration files.
Security, well, both enable you to use iptables, which is how I usually secure a machine. There are various other firewall implementations out there, which should work on either distribution.
Vector makes it a ~bit~ (in my opinion, and this could just be because I haven't used it that much and didn't do that much research) harder to get under the hood, so to speak, and edit the various configuration files.
Both are nice distributions, with different target audiences. I think you'll learn more about Linux using Arch, but that could be my opinion. Vector is based on Slackware, which is sort of the classic vanilla Linux.
On a 686 (PIII or K7 and up) I think you'll find Arch to be faster.

Implementing WAAS with Firewall

Hello,
I'm about to run a WAAS implementation Project but I have got below prerequisites that it should be taken on firewalls from one of my colleague, can you please let me know whether this is true?
1) disable checking the TCP Sequence Number Fields
2) to allow TCP option modifications.
Doing this may leave the Customer LAN environment vulnerable to DoS attacks. In addition, Cisco has encountered many challenges getting WAAS to work even when both of these items have been changed on the FWs.

Thanks. I see the following options for deploying WAAS:
Disable a bunch of security checks on the firewall(s) to allow WAAS traffic to flow through
Use Direrected Mode in WAAS to tunnel optimized traffic through the firewall
Place the WAAS devices "outside" the firewalls so that the firewall(s) only see the LAN side (i.e. unoptimized) traffic
I'm personally not a fan of (1) or (2) above, since they reduce the level of benefit provided by the firewall(s) or hide optimized traffic from them all together. Option (3) may be an option, but it depends on your topology.
Do you have a topology diagram of your deployment that you can share?
Thanks,
Zach

Implementing Firewall behind Catalyst 2950 SI Switch

Hi,
Current Scenario:
2 x 3700 series routers in active-standby configuration (HSRP) . They are implementing IOS SLB and NAT.
Behind these a 2950-24 switch. This box has only the Standard Image.
Behind this again are a number of Windows servers requiring protection.
Requirement:
Implement Firewall Solution with SonicWall in order to protect a subset of these hosts.
Questions:
1. Can the Firewall be 'hung' off the switch and create port-based VLAN's?
2. Would this involve sub-interfaces on the Firewall? I read in SonicWall doc. that with appropriate Firmware upgrade, it can implement sub-interfaces, but requires a 802.1q-capable switch.
3. Leading on from 2., I believe 2950-24 cannot run 802.1q since it runs only a Standard Image(SI), according to CCO. Is this true?
4. Any other advice appreciated.
Thanks again.

Hi,
Yes you can, create two VLAN's on the switch, say 20 and 30. Assign ports for external firewall interface and routers on vlan 20. Assign ports for servers and internal interface on firewall on vlan 30.
You should not not need sub-interfaces as the firewall will have a separate external and internal interface.
Let me know if I have pointed you in the right direction or if I not gotten the right end of your question.

Firewall Implementation

Similar Messages

Maybe you are looking for