Firewall Wizards mailing list archives
Re: Protecting a datacentre with a firewall
From: "mag" <mag () bunuel tii matav hu>
Date: 03 May 2003 01:46:43 +0200
Hi! I found it always funny that enterprises with global intranets how bad at recognizing that their intranet is not much better defended than the internet itself... I think that isolating the data center from the rest would not bring you much in terms of security. You had to open just too many holes on your firewall. The proper way would be to do separation based on user communities and services they need. But most likely you would not be able to do that either, since you have a centalised infrastructure. A not-so-bad solution is to group server resources of application systems (this could mean a group of midrange servers counting anywhere from 1 to 20), and compartment them with a firewall. In this way you have the granularity which can give you some level of protection, and still manageable. But be aware that firewalls are only part of the security infrastructure. It should contain regulations (see CC and Cobit), (presumably central) authentication and identification services, authorization services, audit services, and information flow control. Firewalls are only part of the solution for the latter, and can provide some services for the others. See the Red Book for details. To design information flow, you should have an information flow control modell, and an understanding of major information flows of the enterprise. Our information flow control modell is a mix of Bell-LaPadula, Biba and Clark-Wilson. The other inportant part of the protection is control over the development. In a larger enterprise it tends to be something near untreatable. You have to lay down standards for using your security services, provide APIs for them, and choose them in a way which makes more probable that the COTS products can also employ them. Fortunately the last few years brought some coherency to the last. You should also be able to handle exceptions. You will find that the lack of exceptions will be the exceptional thing:) Also, PIXen are not just too suboptimal to be called firewalls, but also for intranet firewalling you need a level of flexibility you cannot achieve with a blackbox-style product, and with the so-called market leader firewalls. You need a flexible operating system base, presumably some unix flavour, and a flexible, highly configureable firewall on top of it. Regarding the latter I am biased, but there are just no other firewall in the category of Zorp. This is for a good reason: I have recognised what you have just started to think about five years ago, and figured out most of what I have explained to you three years ago. So prepare for a big work. We are doing it for five years, and have at least another five years ahead. And we are not even multinational. -- GNU GPL: csak tiszta forrásból _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Protecting a datacentre with a firewall Lazló Carreidas (May 02)
- Re: Protecting a datacentre with a firewall mag (May 03)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 04)
- Re: Protecting a datacentre with a firewall Chuck Swiger (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 04)
- Re: Protecting a datacentre with a firewall Mikael Olsson (May 03)
- Re: Protecting a datacentre with a firewall mag (May 03)
- <Possible follow-ups>
- Re: Protecting a datacentre with a firewall Jeffery . Gieser (May 03)
- Re: Protecting a datacentre with a firewall Bill Royds (May 03)