Firewall Wizards mailing list archives
RE: segmentation of DMZs
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 18 Nov 2002 17:36:13 +0200
Shimon, The answer to your question varies from one security architect to another. When you design a new system you need to ask yourself several questions. The answers to these questions will help you classify the type system and information served. Some of the questions might be: - What are the different parts of the application? - How they interact? - What is the type of information that the system will serve? - How do you classify the information? - Is it confidential, secret, or open to all? - Is authentication will be required from users? - Do you have different types of users for the application with different access levels? - Etc. If your application is a Banking application, for example, there is no need to host all types of users on the same system since the content served is with different confidentiality levels ranging from free to classified. If you put all your eggs in one system anybody from the Internet will be able to try to compromise your front-end web server. If you require authentication and provide access only to registered users, in most cases you will be able to reduce the number of possible attacks on the front-end server. If the free content will be served off a different web server which will be physically separated from the web server serving confidential content, any compromise to that server will not be a potential risk to the web server serving the confidential content. There is no "one fit to all" module with computer security, and there are no magical solutions - just remember that one application will always be different from another. Enjoy, Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Shimon Silberschlag Sent: Thursday, November 14, 2002 12:35 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] segmentation of DMZs As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like to ask the group if they support/oppose segmenting even segments conducting the same work to sub-segments. Lets say we have an hypothetical internet infrastructure composed of 3 different segments: presentation, business logic and databases. The inter-segment traffic is controlled using switch level protection - either "protected ports" if layer 2 or ACLs if layer 3. Now, some folks here offer to further segment the infrastructure by having separate physical segments for presentation servers (WWW) that provide authenticated services (and hence have as audience a small subset of the internet crowd but do provide much more sensitive information) and those that are not authenticated (thus can serve the entire internet population). They also would like to break the database segment to 2 sub-segments for "sensitive" databases and those that are "not so sensitive". I would like to enquire if anyone in the group either implemented such a design or supports it, and what are the reasons for doing so. If you think this is an overkill, pls do specify why. Shimon Silberschlag +972-3-9352785 +972-51-207130 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Barney Wolff (Nov 13)
- segmentation of DMZs Shimon Silberschlag (Nov 14)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? ark (Nov 15)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
- RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)