Re: medical records, web server, & stateful firewall vs packet filter

Discussion in 'Cisco' started by stephen, Nov 10, 2005.

  1. stephen

    stephen Guest

    "netlist" <> wrote in message
    > Hi,
    > Looking for opinions about the following situation:
    > Our customer runs a medical imaging service. There are three
    > components: web
    > server, image server and SQL server. The web server needs to be
    > publically
    > accessible over the Internet. The web server needs to be able to access
    > the
    > image and SQL servers directly (the image server link in particular
    > needs to
    > be >1Gbps because the images are so large). The image and SQL servers
    > need
    > to be accessible from the Internet only via VPN.

    if the images go "out" to someone, then you need Gb/s Internet capacity as
    well - so the big piece is a hosting problem rather than networking.

    /Cop out Clause/ - this is free advice from someone you dont know over the
    Internet - so you are getting exactly what you havent paid for.........

    i work for a company that among other things hosts big web sites (not in my
    area - i worry more about electronic plumbing).

    You dont mention just how critical this is and how much you think you can
    spend - so this may be way over the top (or not)

    standard paranoia architecture is for 2 "layers" of servers segregated by

    Internet -> f/wall1 -> load balancers -> web servers -> f/wall2 -> sets of
    backend servers

    (with a few variations)

    add parallel stuff to required resilience / performance level.

    You also need other connections to support this - links to backup servers
    (via the firewalls again - someone might hack into your backups rather than
    into the production stuff if it is easier), management / control / telemetry
    networks (via the firewalls for similar reasons). If it helps our hosting
    designers cheered when Cisco started supporting more than 6 to 8 interfaces
    on a PIX.

    the 2 firewall layers should run different s/ware - the idea is that a major
    attack needs to get to the back end servers and has to get thru 2 different
    firewalls. if you are really paranoid you apply similar logic to servers,
    management tools.

    backend servers may need to be firewalled from each other as well as the
    front end - depends how much compartmentation you need.

    If the firewalls come from different suppliers and use different s/ware etc,
    then they are unlikely to have an identical vulnerability, and since you
    then have to configure them in different ways it is harder to leave the same
    "hole" in both in the config......

    firewalls are about protecting data, intrusion detect / prevent etc is about
    knowing when they arent working properly.

    if you are serious about this you probably need similar smaller scale test
    setup for new changes, development and so on. it also means you can do some
    testing without compromising the live data set. And then there is testing
    before it goes live so you can prove it is secure (or more likely the 1st
    time that it isnt).......

    none of this is useful unless you look after the installation once it is
    live, so installing firewalls, IDS etc is only useful if the operations team
    can handle the info they get, keep them up to date and generally give the
    system ongoing care and attention.
    > My plan so far is to bond multiple 1Gbps NIC's on the web and image
    > servers
    > and connect them via etherchannel on a Cisco 3750. The 3750 would act
    > as a

    i would ignore what you need at layer2 until you decide which expensive bits
    you need to glue everything together, since layer 2 / 3 switching is
    (relatively) cheap.

    for example the obvious choice for a Cisco firewall to run at N * Gb/s is a
    Cat 6k firewall services module (last time i checked the module without
    software was $35k list, and you might want more than 1) - if you go that way
    put your ethernet ports in the same box. The FWSM can go at around 5 Gb/s on
    a good day and handle up to 100 logical interfaces, and it can pretend to be
    multiple firewalls - which helps keep the rulesets manageable. You can get
    similar thruput on Nokia and Netscreen / Juniper boxes.

    Also N * gig parallel pipes gets painful very quickly as your bandwidth
    needs go up - so maybe you should think about 10G plumbing on trunks. Also N
    * Gb/s may not be feasible on a single server - so maybe load balancers and
    multiple parallel servers to get the throughput (and /or any replication
    needed for resilience)? Needing to connect up using numbers of 10G ports
    again pushes you towards Cat 6k.....

    Mind you the number of systems that really need to go at Gbps speeds is a
    small fraction of the number where somebody says "and of course it must need
    multiple Gbps throughput"......

    > packet filter between the servers. The SQL server would attach to that
    > too.

    packet filters are not best practice unless you have a brain the size of a
    planet. Even then, someone has to maintain them later.... Anyway you get
    much better logging on a real firewall for when you have to find out what
    happened at some point. (this is personal opinion - there are people /
    bigots of every persuasion in this area of networking just like in all the

    assuming you are in the US - HIPAA?

    no idea what that does to your requirements but Vincent made some points
    about having to prove you have worked to best practice rather than just do
    it. So, if this is the 1st time you will do this, i would want some
    professional / expert help - if nothing else it spreads the blame (or if
    lucky provides assurance that you have chosen an appropriate level of

    i suspect you may have to worry about a periodic security audit at some
    point as well, so everything and its dog needs to be documented, formal
    testing, change control, paper trails blah blah....

    if all this sounds expensive then it is - the rule of thumb is that "real"
    security always cost a lot more than you expect (this comes up whenever we
    need another person for the inhouse security team - they believe it). The
    side effects (such as inconvenience, vetting, separation of security teams
    from server / data ops teams and so on) increase cost even more. So you may
    want to go and find someone to do some of that for you.

    i would split SQL and image servers into different firewall zones. You might
    have to do less image protection (or use a much more expensive firewall) -
    but SQL bandwidth will be relatively low.

    also you need to think about what you protect - does an image help a data
    thief without the info from SQL to tell them what they are looking at - i.e.
    does a penetration need to get to both back end server types, or just 1?

    finally if security is important then you dont let the s/ware engineers
    dictate what flows across the architecture - the security team tells them
    what they are allowed to push around and they work inside that.

    the comments about netbios over IP make me think no one has even thought
    about security yet.

    > Then I would set a Cisco ASA 5510 between the 3750 and the Internet, to
    > terminate VPN connections as well as provide stateful firewall and
    > maybe
    > some application filtering services for the webserver.
    > My question at this point is: am I making a mistake by placing a
    > stateful
    > firewall between the webserver and the Internet? Maybe a simple packet
    > filter would be less prone to DoS attacks. I could stick a Cisco 2800
    > there
    > instead. I have always believed that a stateful firewall device like a
    > PIX
    > or ASA 5500 would offer better overall protection than a packet filter
    > (I
    > need to limit access to the image and SQL servers too), but some
    > feedback
    > I've received recently is causing me to question this assumption.
    > Anyone care to point me in the right direction?

    The bit you havent mentioned is the VPN. If you want encrypted data and
    access at Gb/s thruput then that is another big problem.

    If the VPN isnt sized for those kinds of thruput (or the "customer end"
    doesnt have that kind of connection speed) then you dont need such high
    speeds between the servers - the VPN will act as a bottleneck.
    > TIA,
    > Adam


    - replace xyz with ntl
    stephen, Nov 10, 2005
    1. Advertisements

  2. netlist

    netlist Guest


    thanks much for your extensive feedback, which is much appreciated.

    netlist, Nov 18, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alec Waters
    Alec Waters
    Jun 9, 2004
  2. Bob the Builder

    PIX Stateful Failover

    Bob the Builder, Jan 6, 2005, in forum: Cisco
    The Green Manalishi
    Jan 7, 2005
  3. Learning Cisco
    Walter Roberson
    Oct 15, 2005
  4. Vincent C Jones
    Vincent C Jones
    Nov 20, 2005
  5. Replies:

Share This Page