Educause Security Discussion mailing list archives
Re: firewall requirements for applications
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 1 Sep 2010 15:18:35 -0400
On Wednesday 01 September 2010 14:13:09 Shalla, Kevin wrote:
We have an application that currently is protected by a firewall. The application (Windows executable) resides on a file share, and data on a database server. Managing the firewall for this application causes quite a bit of grief. I recently asked why we needed to keep it behind the firewall, considering that we've got much more confidential data (our main ERP), which is available through any web browser and java to any computer on the Internet. Is there some valid increased security risk to allowing access to a Windows executable versus a java application?
Kevin - I think you may be asking the wrong question. You are basically asking, "why are we protecting <x> when we aren't protecting <y>?". I would be asking, "look, we're protecting <x> and it's less sensitive data than <y>, why don't we put <z> controls in place to protect that data as well, or at least require VPN access to get to it?" It's possible the application server can't handle things like user or IP-based ACLs and needs some external device to do so while the ERP software can do this internally. This is particularly common in older software and software intended for use in a trusted environment. It could also be that you're looking at this strictly from an ingress perspective. Does the application firewall also protect the world, or the rest of your network, from damage if the application server is exploited? kmw -- Kevin Wilcox, GCIH Network Infrastructure and Control Systems Appalachian State University 828.262.6259
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- firewall requirements for applications Shalla, Kevin (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)
- Re: firewall requirements for applications Jason Testart (Sep 01)
- Re: firewall requirements for applications Kevin Wilcox (Sep 01)
- Re: firewall requirements for applications Charles Buchholtz (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)