Re: [fw-wiz] segmentation of DMZs

From: Carson Gaspar (carson@taltos.org)
Date: 11/14/02


From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Thu Nov 14 17:42:01 2002


--On Thursday, November 14, 2002 12:35 PM +0200 Shimon Silberschlag
<shimons@bll.co.il> wrote:

> As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like
> to ask the group if they support/oppose segmenting even segments
> conducting the same work to sub-segments.

Let's take the extreme cases, as a pedagogical exercise. I'll address your
specific case below, if you want to skip the excercise ;-)

a) Everything on the same flat segment

Pro:

Easy address space allocation
Allows any application architecture
Low firewall port count
Simple routing
Low operational / debugging complexity

Con:

If any exposed service is compromised, you rely on host security to repell
further attacks

b) Every system is on a seperate segment

Pro:

Every system must be compromised via the minimal exposed services to an
external or already compromised system

Con:

Address space nightmare (can be solved with a bridging firewall)
Application architecture must be explicitly provisioned, every time it
changes (may be seen as a Pro)
A sufficiently bad application architecture can require the inter-system
protection to be effectively nill
Enormous firewall port count (802.1q helps)
Complex routing / bridging
High operational / debugging complexity

So, as usual, you have a set of tradeoffs. Increased security (with
diminishing returns), vs. increased operational and deployment costs.

In your case, seperating authenticated and non-authenticated services (or
sensitive and non-sensitive) does not significantly increase the number of
compartments, and does give a significant security benefit (in my opinion,
of course). Assuming your deployed switching, routing, and firewall
technologies support it, I'd say do it.

And a plug for my current favorite firewall vendor: Netscreen supports
complex routing, virtual firewalls, bridging, and 802.1q. If you want to go
towards the compartmented extreme, they're a good fit.

I haven't actually seen one, much less used one, but the Cisco PIX switch
blade may also be worth looking at.

-- 
Carson


Relevant Pages

  • Re: [fw-wiz] Maximum number of subnets on a firewall
    ... about the security policy for each segment and how it relates to each ... Company A doesn't talk to Company B, the DMZs don't have any traffic ... The management network, depending on how much stuff its connected to, ... traverse the firewall to get where it's going. ...
    (Firewall-Wizards)
  • Re: How expand domain subnet?
    ... But if my LAN was going to contain less than 200 Ethernet nodes, ... subnet would reduce the number of possible clients to 62. ... Add a new segment. ... and VPN clients (managed by PIX firewall). ...
    (microsoft.public.windows.server.networking)
  • RE: win2k3 active directory - firewall ports
    ... Also note that with the Windows Server 2008 AD infrastructure, ... close to the segment of your user base. ... win2k3 active directory - firewall ports ...
    (Focus-Microsoft)
  • Re: queer dns access problem
    ... on your subnet, but when it comes time to get out of your subnet it ... The following is why I don't think its a firewall issue. ... If by the same segment, you mean within the same 10.1.5.x domain, I ... Pinged the default gateway. ...
    (RedHat)