Re: [fw-wiz] segmentation of DMZs
From: Carson Gaspar (carson@taltos.org)
Date: 11/14/02
- Next message: Lorens Kockum: "Re: [fw-wiz] Mainframes on the Net?"
- Previous message: Paul D. Robertson: "Re: [fw-wiz] segmentation of DMZs"
- In reply to: Shimon Silberschlag: "[fw-wiz] segmentation of DMZs"
- Next in thread: Mikael Olsson: "Re: [fw-wiz] segmentation of DMZs"
- Reply: Mikael Olsson: "Re: [fw-wiz] segmentation of DMZs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Carson Gaspar <carson@taltos.org> To: firewall-wizards@honor.icsalabs.com Date: Thu Nov 14 17:42:01 2002
--On Thursday, November 14, 2002 12:35 PM +0200 Shimon Silberschlag
<shimons@bll.co.il> wrote:
> As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like
> to ask the group if they support/oppose segmenting even segments
> conducting the same work to sub-segments.
Let's take the extreme cases, as a pedagogical exercise. I'll address your
specific case below, if you want to skip the excercise ;-)
a) Everything on the same flat segment
Pro:
Easy address space allocation
Allows any application architecture
Low firewall port count
Simple routing
Low operational / debugging complexity
Con:
If any exposed service is compromised, you rely on host security to repell
further attacks
b) Every system is on a seperate segment
Pro:
Every system must be compromised via the minimal exposed services to an
external or already compromised system
Con:
Address space nightmare (can be solved with a bridging firewall)
Application architecture must be explicitly provisioned, every time it
changes (may be seen as a Pro)
A sufficiently bad application architecture can require the inter-system
protection to be effectively nill
Enormous firewall port count (802.1q helps)
Complex routing / bridging
High operational / debugging complexity
So, as usual, you have a set of tradeoffs. Increased security (with
diminishing returns), vs. increased operational and deployment costs.
In your case, seperating authenticated and non-authenticated services (or
sensitive and non-sensitive) does not significantly increase the number of
compartments, and does give a significant security benefit (in my opinion,
of course). Assuming your deployed switching, routing, and firewall
technologies support it, I'd say do it.
And a plug for my current favorite firewall vendor: Netscreen supports
complex routing, virtual firewalls, bridging, and 802.1q. If you want to go
towards the compartmented extreme, they're a good fit.
I haven't actually seen one, much less used one, but the Cisco PIX switch
blade may also be worth looking at.
-- Carson
- Next message: Lorens Kockum: "Re: [fw-wiz] Mainframes on the Net?"
- Previous message: Paul D. Robertson: "Re: [fw-wiz] segmentation of DMZs"
- In reply to: Shimon Silberschlag: "[fw-wiz] segmentation of DMZs"
- Next in thread: Mikael Olsson: "Re: [fw-wiz] segmentation of DMZs"
- Reply: Mikael Olsson: "Re: [fw-wiz] segmentation of DMZs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
