Re: [fw-wiz] segmentation of DMZs

From: Carson Gaspar (carson@taltos.org)
Date: 11/14/02


From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Thu Nov 14 17:42:01 2002


--On Thursday, November 14, 2002 12:35 PM +0200 Shimon Silberschlag
<shimons@bll.co.il> wrote:

> As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like
> to ask the group if they support/oppose segmenting even segments
> conducting the same work to sub-segments.

Let's take the extreme cases, as a pedagogical exercise. I'll address your
specific case below, if you want to skip the excercise ;-)

a) Everything on the same flat segment

Pro:

Easy address space allocation
Allows any application architecture
Low firewall port count
Simple routing
Low operational / debugging complexity

Con:

If any exposed service is compromised, you rely on host security to repell
further attacks

b) Every system is on a seperate segment

Pro:

Every system must be compromised via the minimal exposed services to an
external or already compromised system

Con:

Address space nightmare (can be solved with a bridging firewall)
Application architecture must be explicitly provisioned, every time it
changes (may be seen as a Pro)
A sufficiently bad application architecture can require the inter-system
protection to be effectively nill
Enormous firewall port count (802.1q helps)
Complex routing / bridging
High operational / debugging complexity

So, as usual, you have a set of tradeoffs. Increased security (with
diminishing returns), vs. increased operational and deployment costs.

In your case, seperating authenticated and non-authenticated services (or
sensitive and non-sensitive) does not significantly increase the number of
compartments, and does give a significant security benefit (in my opinion,
of course). Assuming your deployed switching, routing, and firewall
technologies support it, I'd say do it.

And a plug for my current favorite firewall vendor: Netscreen supports
complex routing, virtual firewalls, bridging, and 802.1q. If you want to go
towards the compartmented extreme, they're a good fit.

I haven't actually seen one, much less used one, but the Cisco PIX switch
blade may also be worth looking at.

-- 
Carson