Re: [fw-wiz] ASP/Hosting Architecture
From: Chris Pugrud (chris_at_pugrud.net)
To: firstname.lastname@example.org Date: Thu, 18 Nov 2004 04:43:50 -0800 (PST)
I lived in this world for a few years and it was a very blood and guts
initiation to compartmentalized network security. The company was shutdown by
VC greed, but it was running strong up to that point. I have the hindsight of
a couple of years to know how I could have done it better, but at the time my
primary focus was unraveling the mess and getting into a solid state that was
auditable and was SAS-70 certified (which undermined my appreciation for
The ASP hosted financial and CRM systems for a specialized sphere of startup
hardware manufacturers. Because the ASP focused on a very specific business
segment they were able to quickly implement full ERP systems (the record was 42
days for a full ERP implementation for a running, shipping, customer). It also
meant that all of the ASP's customers were direct competitors of each other
(including a few that have already been mentioned in this thread). Obviously
the systems had to be secure against the outside world, but it had to maintain
and insure the security of internal compartments against each other.
Each of the customers was broken out on their own hardware, including private
network switches, hub and spoke from a hardened core. Access to and from the
backup system was tightly controlled. A limited amount of administrative
systems were given access to the customer systems. Customer access was via ASP
owned equipment, including private T1 lines that were IPSEC (3DES) encrypted.
The VPN hardware controlled access between the customers and the core, the core
controlled access between the servers and the customer. Overlapping customer
(RFC1918) issues were dealt with by FM in the VPN hardware.
The common points of vulnerability were the backup compartment and the admin
compartment. The customer compartments had no visibility or access outside of
their compartment, they could only respond to requests from the admin, backup,
and customer client systems.
No working design can be perfect, but we did the best with the technology and
understanding available that we could. The design was audited, certified, and
even received praise from a group of grey-hat "security researchers" that
I'd be happy to share some more lessons learned, but it's probably more
--- Don Kendrick <email@example.com> wrote:
> Dear Wizards,
> Need some direction/advise from anyone that has worked in the
> development of a network/firewall architecture for an ASP or hosting
> company. I'm currently working on developing a plan for an organization
> that will host multiple organization's IT infrastructures. Some of the
> organizations have a high risk tolerance and some have (or should have)
> a very low tolerance.
> When you look at developing a network/security architecture for an
> organization, you are usually looking at one organization's assets and
> can then apply the standards for tiering (presentation, application,
> and data) and segmentation based on criticality and confidentiality.
> The problem is how do we do this in an environment that also has to be
> segmented based on owner. Things start to not scale well quickly. Lots
> of firewalls, segmented SAN/NAS devices, segmented enterprise backup
> systems. If you don't address some of this you run the risk of the
> weakest link being exploited to escalate into other more secure
> co-located systems that might share infrastructure.
> I'm sure that there are some organizations with this type of problem
> that do it the wrong way, basically going flat with the tiering and/or
> data segmentation and only segmenting (maybe even only with VLANs) on
> the data owner (hosting client).
> Is anyone doing it right? How do you make it scale? Any models, ideas?
> firewall-wizards mailing list
firewall-wizards mailing list