Re: [fw-wiz] ASP/Hosting Architecture

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 11/05/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] [Administrivia] Additional Moderator" 
    To: Don Kendrick <strider@mailworks.org>
Date: Thu, 4 Nov 2004 23:47:05 -0500 (EST)

    On Tue, 2 Nov 2004, Don Kendrick wrote:

    > Dear Wizards,
    >
    > Need some direction/advise from anyone that has worked in the
    > development of a network/firewall architecture for an ASP or hosting
    > company. I'm currently working on developing a plan for an organization
    > that will host multiple organization's IT infrastructures. Some of the
    > organizations have a high risk tolerance and some have (or should have)
    > a very low tolerance.
    >
    > When you look at developing a network/security architecture for an
    > organization, you are usually looking at one organization's assets and
    > can then apply the standards for tiering (presentation, application,
    > and data) and segmentation based on criticality and confidentiality.
    >
    > The problem is how do we do this in an environment that also has to be
    > segmented based on owner. Things start to not scale well quickly. Lots
    > of firewalls, segmented SAN/NAS devices, segmented enterprise backup
    > systems. If you don't address some of this you run the risk of the
    > weakest link being exploited to escalate into other more secure
    > co-located systems that might share infrastructure.

    You have a few choices, either make a limited number of zones, and
    replicate the environment for that number (3 or 4 max) and place
    organizations into a particular zone based on their self-confessed
    tolerance, make the infrastructure as hardened as possible, make the
    organizational stuff not able to talk to each other, and carry the risk
    that's left, or build out each thing individually. Which is right depends
    heavily upon resources, security visibility and scale.

    > I'm sure that there are some organizations with this type of problem
    > that do it the wrong way, basically going flat with the tiering and/or
    > data segmentation and only segmenting (maybe even only with VLANs) on
    > the data owner (hosting client).

    Yep, lots of places do it wrong.

    > Is anyone doing it right? How do you make it scale? Any models, ideas?

    It also depends on your idea of secure and what resources have to be
    shared. I happen to think multi-level secure systems work well for this
    sort of things, Marcus probably doesn't agree at all. We probably both
    agree that the administrative overhead is pretty ugly though ;)

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] [Administrivia] Additional Moderator"