Re: [fw-wiz] Defense in Depth to the Desktop

From: Chris Pugrud (cpugrud_at_yahoo.com)
Date: 12/06/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)" 
    To: lists@dawes.za.net
Date: Mon, 6 Dec 2004 08:16:53 -0800 (PST)

    --- Rogan Dawes <discard@dawes.za.net> wrote:

    > I've been trying to come up with some way of firewalling individual
    > clients (i.e. at a switch level), by defining a policy of who is allowed
    > to connect to what, at a very granular level. Your analysis kind of
    > short-cuts that whole approach, by taking a much less granular approach
    > to things. I think it could be very effective. I particularly like the
    > way of segregating servers based on their need to initiate connections
    > to clients or not.
    >
    > Good stuff! I look forward to seeing more discussion on this list.

    The key short cut, in my mind, was realizing that private vlans could be used
    to extend strong access controls to an entire subnet without having to define
    inidividual rules, subnets, or vlans. Private vlans also cut out all of the
    client to client chatter and vulnerabilities.

    Segmentation of the servers isolates the risk exposure. The reality is that
    very, very few servers actually need to initiate connections to the clients.
    Even SMS and most mangement systems are client-poll driven. The best example
    I've seen of Master->client servers are vulnerability scanners (most
    organizations do not do backups of client systems). Because all of the client
    systems are exposed to the Master Client servers, the security of those systems
    is obviously vital.

    Thank you,

    Chris
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Devdas Bhagat: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"

    Relevant Pages

    • Re: [fw-wiz] Defense in Depth to the Desktop
      ... > network hardware mechanisms. ... The Strong Internal Network Defense ... The client subnet and the server ... Servers are allowed to reply to clients, ...
      (Firewall-Wizards)
    • [fw-wiz] Defense in Depth to the Desktop
      ... network hardware mechanisms. ... controls is highlighted when the internal network and systems suffer ... The client subnet and the server ... Servers are allowed to reply to clients, ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Defense in Depth to the Desktop
      ... Sounds a lot like Domain Based Security (not Windows 'domains', ... > network hardware mechanisms. ... The client subnet and the ... Servers are allowed to reply to clients, ...
      (Firewall-Wizards)
    • Re: What doesnt lend itself to OO?
      ... objects need to be explicitly maintained....thus the rise of stateless ... of state largely the responsibility of the client. ... object only exists on 1 out of n servers the load balancer needs to ...
      (comp.object)
    • Re: 1058 and 1030 errors revisited
      ... Are you sure about the symptoms ie when the11th or 12th user logs ... Does the issue occour only on some machines? ... We have four servers to ... There are about sixty client ...
      (microsoft.public.windows.group_policy)