Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Harry Hoffman <hhoffman () IP-SOLUTIONS NET>
Date: Thu, 6 Sep 2012 15:56:03 -0400
Heh, yeah... looking at my netmask... a /17 that puts it at 32k of my closest friends. In some ways it's kind of nice. No need to wait on that span port, with so much traffic the switches are always rebroadcasting and watching arp traffic makes it easy to see scanners :-) But yeah, each host should be prepared to protect itself. In my opinion that does mean running a firewall on every system, but that becomes much easier with various built in options as well as 3rd party apps. On 09/06/2012 03:18 PM, Joe St Sauver wrote:
David Byers <david.byers () LIU SE> commented: #Whether you have perimeter protection or not does not greatly impact the #need for protection on each host. Chances are pretty good that #eventually something inside your perimeter will become a #malware-infested zombie, attacking anything and everything it can -- and #your typical border firewall will sit there, oblivious. The wider your #perimeter, the more likely this is to happen. In a higher education context, this is what I call the "20,000 of your closest friends" problem (slide 56 of http://pages.uoregon.edu/joe/architectures/architecture.pdf ), e.g., a perimeter firewall at even a mid-size university can result in a population of "trusted insiders" (users and/or hosts) bigger than some small cities :-; #So firewalling at the network level or no, you still need to lock down #the hosts. Precisely. #Locking down the hosts doesn't necessarily mean deploying a "personal #firewall". It could (and should) first and foremost mean ensuring that #all accessible services are secure, and that only those services that #need to be running, are running. Do that right, and the personal #firewall becomes much simpler. Again, this is exactly right in my opinion. Regards, Joe
Current thread:
- Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)