Re: [fw-wiz] The Death Of A Firewall

From: Josh Welch (jwelch_at_buffalowildwings.com)
Date: 07/19/05

  • Next message: Kevin: "Re: [fw-wiz] The Death Of A Firewall"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 19 Jul 2005 09:07:30 -0500
    
    

    James Paterson wrote:
    > http://www.securitypipeline.com/165700439
    >
    > Be interesting to get the communities take on this article.
    >

    "We can do that now, thanks to layer-3 data center switches that allow
    for the low-cost creation of subnets. By defining simple ACLs, we
    further isolate our backend servers."

    Hmm, seperating machines into security specific zones and regulating the
    traffic between them....nope, no firewall here.

    "The servers and their respective applications sit in their own DMZ,
    protected by an Application-layer firewall. We organize servers into
    three tiers: The first tier consists of presentation servers such as Web
    and e-mail servers--these are the only servers accessible to end users.
    The second tier, made up of application and middleware servers, is in
    turn only accessible to the presentation servers. Finally, the third
    tier, consisting of the database servers, is only accessible to the
    application and middleware servers."

    Yep, the've done an excellent job at removing the old scourge to
    productivity, the firewall.

    "The price tag of such a hardware-intensive architecture may seem high,
    but virtualization software allows us to deploy all three tiers within
    the same server."

    Ahh, they've virtualized it so the firewalls don't really exist.

    I read this earlier and my impression then as now is that the title of
    the article is horribly misleading. While they do appear to be trying to
    get away from the crunchy outside chewy inside model, they are doing it
    by increasing the use of security strategies that seem an awful lot like
    firewalls to me. This is probably a good thing overall, but the way the
    article is presented certain PHB types could get the wrong impression.

    Josh
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Kevin: "Re: [fw-wiz] The Death Of A Firewall"

    Relevant Pages

    • RE: Slow user logon on Terminal server after migration to Windows 2003
      ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
      (microsoft.public.windows.server.active_directory)
    • Re: medical records, web server, & stateful firewall vs packet filter
      ... > image and SQL servers directly (the image server link in particular ... The image and SQL servers ... the 2 firewall layers should run different s/ware - the idea is that a major ... security always cost a lot more than you expect (this comes up whenever we ...
      (comp.dcom.sys.cisco)
    • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
      ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
      (freebsd-questions)
    • RE: Secure Network Design (DMZ, LAN, etc)
      ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
      (Security-Basics)
    • Re[3]: What can make DNS lookups slow? [semi-solved]
      ... My problem was that DNS lookups from and through my debian firewall ... My ISP's DNS servers are handing back replies from ... the machines inside the firewall, then I'd love to hear of it. ... # means that it queries the dmz server for everything ...
      (Debian-User)