Re: [fw-wiz] Defense in Depth to the Desktop

From: Magosányi Árpád (mag_at_bunuel.tii.matav.hu)
Date: 12/06/04

  • Next message: Ben Nagy: "RE: [fw-wiz] Security of HTTPS" 
    To: Chris Pugrud <cpugrud@yahoo.com>, firewall-wizards@honor.icsalabs.com
Date: Mon, 6 Dec 2004 08:40:42 +0000

    A levelezőm azt hiszi, hogy Chris Pugrud a következőeket írta:
    > Overview
    >
    [one subnet for servers, one for clients, separated by a firewall]

    > In addition to the firewall, the client systems are fully isolated from each
    > other by layer 2 controls (private vlans). The servers may be similarly
    > isolated, but doing so is minimally effective and damaging to server to server
    > communications.

    It is interesting to note that what you propose can be viewed as an
    example of the Bell-LaPadula modell with two security levels.

    There are questions regarding the scaleability and the resource needs of
    such a setup.
    -How can you scale it to an intranet which have hundreds or thousands of
    subnets, with tens or hundreds of separate application servers
    geographically scattered?

    My answer would be using VPNs, which makes configuration and network
    usage more resource intensive.

    -What approaches could you use to minimize configuration overhead and
    network resource utilisation, especially on a large intranet?

    You also seem to forget that there is a world beyond Microsoft, but
    this have little impact on the question. 

    -- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Ben Nagy: "RE: [fw-wiz] Security of HTTPS"

    Relevant Pages

    • RE: Secure Network Design (DMZ, LAN, etc)
      ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
      (Security-Basics)
    • Re: Cant Connect to Win2008 Server from 1 of several subnets
      ... As the firewall has a Static Route for the 10.254.0.36 Subnet that points to the default router that I changed the machine with the issues to. ... One of the reasons I like to have my Servers DHCP with Reservations... ...
      (microsoft.public.windows.server.networking)
    • Re: Linux firewall for public IPs
      ... The one acting as a gw for other servers should be on the same ... >> subnet with them, the other should be on different subnet and that one should ... > firewall with IP Masquerading for PRIVATE IP's on a LAN. ... but I think IPtables can throttle those requests as well. ...
      (comp.os.linux.networking)
    • Re: Firewall question
      ... I guess I will then split up this C subnet in two equal /25 subnets thus loosing 2 IP addresses due to subnetting but still it's a good idea. ... have our internet servers behind the firewall on a private IP range ... the server would actually be on the same network as the firewall. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: how much safe if a network is separated?
      ... The best would be to physically separate the subnets, ... When you have two subnets, but on the same physical network, it depends on ... This depends on what your incoming VPN or firewall permits. ... there is an unsecured point in your other network subnet. ...
      (comp.security.misc)