Re: [fw-wiz] ASP/Hosting Architecture

From: Chris Pugrud (chris_at_pugrud.net)
Date: 11/18/04

  • Next message: Nathaniel Hall: "[fw-wiz] Load Balancing" 
    To: firewall-wizards@honor.icsalabs.com
Date: Thu, 18 Nov 2004 04:43:50 -0800 (PST)

    Don,

    I lived in this world for a few years and it was a very blood and guts
    initiation to compartmentalized network security. The company was shutdown by
    VC greed, but it was running strong up to that point. I have the hindsight of
    a couple of years to know how I could have done it better, but at the time my
    primary focus was unraveling the mess and getting into a solid state that was
    auditable and was SAS-70 certified (which undermined my appreciation for
    SAS-70).

    The ASP hosted financial and CRM systems for a specialized sphere of startup
    hardware manufacturers. Because the ASP focused on a very specific business
    segment they were able to quickly implement full ERP systems (the record was 42
    days for a full ERP implementation for a running, shipping, customer). It also
    meant that all of the ASP's customers were direct competitors of each other
    (including a few that have already been mentioned in this thread). Obviously
    the systems had to be secure against the outside world, but it had to maintain
    and insure the security of internal compartments against each other.

    Each of the customers was broken out on their own hardware, including private
    network switches, hub and spoke from a hardened core. Access to and from the
    backup system was tightly controlled. A limited amount of administrative
    systems were given access to the customer systems. Customer access was via ASP
    owned equipment, including private T1 lines that were IPSEC (3DES) encrypted.
    The VPN hardware controlled access between the customers and the core, the core
    controlled access between the servers and the customer. Overlapping customer
    (RFC1918) issues were dealt with by FM in the VPN hardware.

    The common points of vulnerability were the backup compartment and the admin
    compartment. The customer compartments had no visibility or access outside of
    their compartment, they could only respond to requests from the admin, backup,
    and customer client systems.

    No working design can be perfect, but we did the best with the technology and
    understanding available that we could. The design was audited, certified, and
    even received praise from a group of grey-hat "security researchers" that
    successfully IPO'd.

    I'd be happy to share some more lessons learned, but it's probably more
    appropriate off-list.

    Chris

    --- Don Kendrick <strider@mailworks.org> wrote:

    > Dear Wizards,
    >
    > Need some direction/advise from anyone that has worked in the
    > development of a network/firewall architecture for an ASP or hosting
    > company. I'm currently working on developing a plan for an organization
    > that will host multiple organization's IT infrastructures. Some of the
    > organizations have a high risk tolerance and some have (or should have)
    > a very low tolerance.
    >
    > When you look at developing a network/security architecture for an
    > organization, you are usually looking at one organization's assets and
    > can then apply the standards for tiering (presentation, application,
    > and data) and segmentation based on criticality and confidentiality.
    >
    > The problem is how do we do this in an environment that also has to be
    > segmented based on owner. Things start to not scale well quickly. Lots
    > of firewalls, segmented SAN/NAS devices, segmented enterprise backup
    > systems. If you don't address some of this you run the risk of the
    > weakest link being exploited to escalate into other more secure
    > co-located systems that might share infrastructure.
    >
    > I'm sure that there are some organizations with this type of problem
    > that do it the wrong way, basically going flat with the tiering and/or
    > data segmentation and only segmenting (maybe even only with VLANs) on
    > the data owner (hosting client).
    >
    > Is anyone doing it right? How do you make it scale? Any models, ideas?
    >
    > don
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Nathaniel Hall: "[fw-wiz] Load Balancing"