Re: Rethinking the DMZ

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

Heh, yeah... looking at my netmask... a /17 that puts it at 32k of my
closest friends.

In some ways it's kind of nice. No need to wait on that span port, with
so much traffic the switches are always rebroadcasting and watching arp
traffic makes it easy to see scanners :-)

But yeah, each host should be prepared to protect itself. In my opinion
that does mean running a firewall on every system, but that becomes much
easier with various built in options as well as 3rd party apps.

On 09/06/2012 03:18 PM, Joe St Sauver wrote:
> David Byers <david.byers () LIU SE> commented:
>
> #Whether you have perimeter protection or not does not greatly impact the
> #need for protection on each host. Chances are pretty good that
> #eventually something inside your perimeter will become a
> #malware-infested zombie, attacking anything and everything it can -- and
> #your typical border firewall will sit there, oblivious. The wider your
> #perimeter, the more likely this is to happen.
>
> In a higher education context, this is what I call the "20,000 of your
> closest friends" problem (slide 56 of 
> http://pages.uoregon.edu/joe/architectures/architecture.pdf ), e.g., a
> perimeter firewall at even a mid-size university can result in a population
> of "trusted insiders" (users and/or hosts) bigger than some small cities :-;
>
> #So firewalling at the network level or no, you still need to lock down
> #the hosts.
>
> Precisely.
>
> #Locking down the hosts doesn't necessarily mean deploying a "personal
> #firewall". It could (and should) first and foremost mean ensuring that
> #all accessible services are secure, and that only those services that
> #need to be running, are running. Do that right, and the personal
> #firewall becomes much simpler.
>
> Again, this is exactly right in my opinion.
>
> Regards,
>
> Joe