RE: [fw-wiz] segmentation of DMZs
From: Ofir Arkin (ofir@sys-security.com)
Date: 11/18/02
- Next message: Scott Mraz: "[fw-wiz] 802.11 Wireless ISP/WLAN"
- Previous message: Scott, Richard: "RE: [fw-wiz] segmentation of DMZs"
- In reply to: Scott, Richard: "RE: [fw-wiz] segmentation of DMZs"
- Next in thread: Lorens Kockum: "Re: [fw-wiz] Mainframes on the Net?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ofir Arkin" <ofir@sys-security.com> To: "'Scott, Richard'" <Richard.Scott@BestBuy.com>, "'Shimon Silberschlag'" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com> Date: Mon Nov 18 17:08:01 2002
Answering the philosophical questions...
>I would say you would need to separate in to functional logical groups
the
>data that is being hosted. For example, a compromise of one system
should
>not compromise the other system that are functionality or
organizationally
>(business sense) separate. However, it will be extremely difficult in
>securing different classified data on the same application if they are
>utilizing the same business operation model for interfacing with the
>customer.
The questions and the example given were only given as an example. They
do not represent an entire classification process.
>And hence the philosophical questions. One should not place such
highly
>confidential data on a system that is Internet and customer facing?
(This
>does not mean one using the Internet as such). If the ramification of
data
>and operational unauthorized access is very high, thorough separation
is
>required, not just risk mitigation.
You need to understand what the type of information served is. It is
regarded secret by both the customer (its own banking information) and
the bank (regulation). It is not a Nation's top secret information that
is served off an Internet web server...
We both know that certain type of information will never be
posted/stored on Internet servers.
The design should take into account the application way of operation and
a plethora of other issues regarding the way of operation, business
flows, and other issues...
>Thus, do we segment at the physical layer or logical layer? What are
the
>essential relationships between the applications?
We segment on both layers - physical and logical. Sometimes we make the
tradeoffs. I thought it was an obvious point.
>People's view may change as ecommerce security increases in engineering
>capacity rather than add on solutions like firewalls and IDS. Is an
>Internet facing venture really as risky as it was ten years ago?
Firewalls and IDSs do not provide protection against security breaches.
They are only two pieces in a puzzle; a puzzle which is sometimes 8
pieces and sometimes 10,000.
Yours,
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
- Next message: Scott Mraz: "[fw-wiz] 802.11 Wireless ISP/WLAN"
- Previous message: Scott, Richard: "RE: [fw-wiz] segmentation of DMZs"
- In reply to: Scott, Richard: "RE: [fw-wiz] segmentation of DMZs"
- Next in thread: Lorens Kockum: "Re: [fw-wiz] Mainframes on the Net?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
