RE: [fw-wiz] segmentation of DMZs

From: Ofir Arkin (ofir@sys-security.com)
Date: 11/18/02


From: "Ofir Arkin" <ofir@sys-security.com>
To: "'Scott, Richard'" <Richard.Scott@BestBuy.com>, "'Shimon Silberschlag'" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com>
Date: Mon Nov 18 17:08:01 2002

Answering the philosophical questions...

>I would say you would need to separate in to functional logical groups
the
>data that is being hosted. For example, a compromise of one system
should
>not compromise the other system that are functionality or
organizationally
>(business sense) separate. However, it will be extremely difficult in
>securing different classified data on the same application if they are
>utilizing the same business operation model for interfacing with the
>customer.

The questions and the example given were only given as an example. They
do not represent an entire classification process.

>And hence the philosophical questions. One should not place such
highly
>confidential data on a system that is Internet and customer facing?
(This
>does not mean one using the Internet as such). If the ramification of
data
>and operational unauthorized access is very high, thorough separation
is
>required, not just risk mitigation.

You need to understand what the type of information served is. It is
regarded secret by both the customer (its own banking information) and
the bank (regulation). It is not a Nation's top secret information that
is served off an Internet web server...

We both know that certain type of information will never be
posted/stored on Internet servers.

The design should take into account the application way of operation and
a plethora of other issues regarding the way of operation, business
flows, and other issues...

>Thus, do we segment at the physical layer or logical layer? What are
the
>essential relationships between the applications?

We segment on both layers - physical and logical. Sometimes we make the
tradeoffs. I thought it was an obvious point.

>People's view may change as ecommerce security increases in engineering
>capacity rather than add on solutions like firewalls and IDS. Is an
>Internet facing venture really as risky as it was ten years ago?

Firewalls and IDSs do not provide protection against security breaches.
They are only two pieces in a puzzle; a puzzle which is sometimes 8
pieces and sometimes 10,000.

Yours,
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA



Relevant Pages

  • Verizon "Broadband Router" the Perfect Trojan Horse
    ... Verizon "Broadband Router" the perfect Trojan Horse ... users to access the Internet over the FIOS fiber. ... at the top of the press release as a tool for customer support. ...
    (comp.dcom.telecom)
  • Re: I Never Thought I Would Agree With AT&T, But I Agree On This
    ... What worries AT&T is the idea that you might stream the ... same TV content over the Internet -- without paying the additional TV ... Some days I may watch more than an hour ... customer, call customer service and say "Do you offer this DSL (or ...
    (soc.retirement)
  • Re: Inaccessible Port 80 - Pentest
    ... but stick to layer thee. ... A mixture of layer 3 port filtering to restrict you to port 80 would seem to be inplace. ... Perhaps it was a 'collection' server that only allowed clients to post or put Http. ... Internet, open one port on it and then block it from public use? ...
    (Pen-Test)
  • Re: FOR SALE: Brand New and Unused - Netgear ProSafe 48 Port Gigabit Managed Switch (GS752TXSB&#
    ... The Dead uk.adverts.computer Sketch ... A customer enters the Demon Internet shop. ... Customer: 'Ello, I wish to register a complaint. ... Look, if you go to my brother's internet shop in Bolton, he'll ...
    (uk.adverts.computer)
  • Re: IBM to the PCM market(the sky is falling!!!the sky is falling!!)
    ... Some may not even let you connect to their network without a virus scan, let alone get out to the internet. ... And how do you reacon you put that in your attachi case when setting out to a customer location for doing a demo??? ... it was a good use/example of what's possible with fairly inexpensive modern technology.] ... For IBM-MAIN subscribe / signoff / archive access instructions, ...
    (bit.listserv.ibm-main)