Re: Protecting a datacentre with a firewall

["mag" <mag () bunuel tii matav hu>]

Hi!

I found it always funny that enterprises with global intranets how
bad at recognizing that their intranet is not much better defended
than the internet itself...

I think that isolating the data center from the rest would not bring you
much in terms of security. You had to open just too many holes on
your firewall. The proper way would be to do separation based on
user communities and services they need. But most likely you would
not be able to do that either, since you have a centalised
infrastructure.

A not-so-bad solution is to group server resources of application
systems
(this could mean a group of midrange servers counting anywhere from 1 to
20), and compartment them with a firewall. In this way you have the
granularity
which can give you some level of protection, and still manageable.

But be aware that firewalls are only part of the security
infrastructure.
It should contain regulations (see CC and Cobit), (presumably central)
authentication and identification services, authorization services,
audit services, and information flow control. Firewalls are only part
of the solution for the latter, and can provide some services for the
others. See the Red Book for details. To design information flow,
you should have an information flow control modell, and an understanding
of
major information flows of the enterprise. Our information flow control
modell is a mix of Bell-LaPadula, Biba and Clark-Wilson.

The other inportant part of the protection is control over the
development.
In a larger enterprise it tends to be something near untreatable.
You have to lay down standards for using your security services,
provide APIs for them, and choose them in a way which makes more
probable
that the COTS products can also employ them. Fortunately the last few
years brought some coherency to the last.
You should also be able to handle exceptions. You will find that the
lack of exceptions will be the exceptional thing:)

Also, PIXen are not just too suboptimal to be called firewalls,
but also for intranet firewalling you need a level of flexibility
you cannot achieve with a blackbox-style product, and with the
so-called market leader firewalls. You need a flexible operating
system base, presumably some unix flavour, and a flexible, highly
configureable firewall on top of it. Regarding the latter I am
biased, but there are just no other firewall in the category
of Zorp. This is for a good reason: I have recognised what you have
just started to think about five years ago, and figured out most
of what I have explained to you three years ago.

So prepare for a big work. We are doing it for five years, and have
at least another five years ahead. And we are not even multinational.


-- 
GNU GPL: csak tiszta forrásból
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards