Re: Rethinking the DMZ

["Haines, Ena" <ena () TC COLUMBIA EDU>]

One can understand why the network gurus say we shouldn't do elaborate
firewalling at the network level, but rather  close down the hosts. If a
department has one or two servers, fine, let them be responsible for
locking it down. If the IT dept has 250 servers managed by 3 or 4 admins,
then what? Are any of your server admin teams happy with a system for
managing the "personal firewall" on each server? Can you set it locally and
forget it every time you deploy a new server? Don't your port requirements
change as ours do when there's an app upgrade or a middleware upgrade, etc.?

Some days it seems as though it's really about manageability.

*V. Ena Haines*
*Director of Information Technology*
*Teachers College, Columbia University*
*525 West 120th Street*
*New York, NY
10027*
*V: 212-678-3486*
*F: 212-678-3243*



On Tue, Sep 4, 2012 at 11:48 AM, Deke Kassabian <deke () isc upenn edu> wrote:

> I'm a fan of border firewalls when the border can be drawn around the
> application servers and the stored data that warrant a serious level of
> protection that can be defined in terms of allowed protocol set. If you
> twist my arm, maybe I can also include expected community of users by
> network address as a poor stand-in for expected community of people, but
> I'd rather handle that part by strong authentication and additional
> Identity and Access Management infrastructure.
>
> I'm less a fan of borders in some other situations, particularly when the
> idea is to draw it around a large enterprise such as a big university. The
> conceptual problem I have is that we are seeing huge growth in personally
> owned high function mobile devices that connect over both enterprise
> wireless networks and carrier 3G/4G networks. The same user on the same
> device would be "inside" one moment and "outside" the next, and may spend
> substantial time on other networks such as home networks or coffee shop
> networks where they can quickly go from clean to compromised.
>
> All my instincts tell me that enterprise borders are less helpful, and
> that I want our focus to be on placing well-designed protection very close
> to the resources (data, app servers) we want to protect and to treat all
> else as public and untrusted, even if a device happens to have an IP
> address at the moment that "belongs" to the University.
>
> I'm a fan of open networks, closed servers, protected sessions.
>
>
>
> On 9/4/12 10:50 AM, Julian Y Koh wrote:
>
> > On Aug 30, 2012, at 16:09 , Youngquist, Jason R. wrote:
> >
> > > Given current system requirements and the evolution of security, are the
> > > reasons for setting up a DMZ 15 years ago still valid, and is the value of
> > > maintaining a DMZ worth the associated costs and if not, what are the
> > > alternatives?
> >
> > We never did a full-blown DMZ.  Firewalls are deployed where needed
> > and/or required, but everything else is just out on public IP space and not
> > firewalled.
> >
> > A border firewall of some sorts will likely be in our future, but we will
> > not be doing a complete re-architecture of our network to accommodate it.
> --
>
> Deke Kassabian,  Senior Technology Director
> Information Systems and Computing, University of Pennsylvania