Re: [fw-wiz] Defense in Depth to the Desktop

• Previous message: Christopher Hicks: "Re: [fw-wiz] Forward 2 networks"
• In reply to: Chris Pugrud: "[fw-wiz] Defense in Depth to the Desktop"
• Next in thread: Chris Pugrud: "Re: [fw-wiz] Defense in Depth to the Desktop"
• Reply: Chris Pugrud: "Re: [fw-wiz] Defense in Depth to the Desktop"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Chris Pugrud <cpugrud@yahoo.com>, firewall-wizards@honor.icsalabs.com
Date: Mon, 6 Dec 2004 08:40:42 +0000

A levelezőm azt hiszi, hogy Chris Pugrud a következőeket írta:
> Overview
>
[one subnet for servers, one for clients, separated by a firewall]

> In addition to the firewall, the client systems are fully isolated from each
> other by layer 2 controls (private vlans). The servers may be similarly
> isolated, but doing so is minimally effective and damaging to server to server
> communications.

It is interesting to note that what you propose can be viewed as an
example of the Bell-LaPadula modell with two security levels.

There are questions regarding the scaleability and the resource needs of
such a setup.
-How can you scale it to an intranet which have hundreds or thousands of
subnets, with tens or hundreds of separate application servers
geographically scattered?

My answer would be using VPNs, which makes configuration and network
usage more resource intensive.

-What approaches could you use to minimize configuration overhead and
network resource utilisation, especially on a large intranet?

You also seem to forget that there is a world beyond Microsoft, but
this have little impact on the question.

-- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Christopher Hicks: "Re: [fw-wiz] Forward 2 networks"
• In reply to: Chris Pugrud: "[fw-wiz] Defense in Depth to the Desktop"
• Next in thread: Chris Pugrud: "Re: [fw-wiz] Defense in Depth to the Desktop"
• Reply: Chris Pugrud: "Re: [fw-wiz] Defense in Depth to the Desktop"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Secure Network Design (DMZ, LAN, etc) ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ... (Security-Basics) Re: Linux firewall for public IPs ... The one acting as a gw for other servers should be on the same ... >> subnet with them, the other should be on different subnet and that one should ... > firewall with IP Masquerading for PRIVATE IP's on a LAN. ... but I think IPtables can throttle those requests as well. ... (comp.os.linux.networking) Re: Firewall question ... I guess I will then split up this C subnet in two equal /25 subnets thus loosing 2 IP addresses due to subnetting but still it's a good idea. ... have our internet servers behind the firewall on a private IP range ... the server would actually be on the same network as the firewall. ... (comp.unix.bsd.openbsd.misc) Re: how much safe if a network is separated? ... The best would be to physically separate the subnets, ... When you have two subnets, but on the same physical network, it depends on ... This depends on what your incoming VPN or firewall permits. ... there is an unsecured point in your other network subnet. ... (comp.security.misc) Re: [fw-wiz] Defense in Depth to the Desktop ... > second subnet contains all of the servers. ... The client subnet and the server ... > subnet are separated by a session based, stateful, packet filtering firewall. ... Servers are allowed to reply to clients, ... (Firewall-Wizards)