Re: firewall requirements for applications

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On Wednesday 01 September 2010 14:13:09 Shalla, Kevin wrote:

> We have an application that currently is protected by a firewall. 
> The application (Windows executable) resides on a file share, and
> data on a database server.  Managing the firewall for this
> application causes quite a bit of grief.  I recently asked why we
> needed to keep it behind the firewall, considering that we've got
> much more confidential data (our main ERP), which is available
> through any web browser and java to any computer on the Internet. 
> Is there some valid increased security risk to allowing access to a
> Windows executable versus a java application?

Kevin -

I think you may be asking the wrong question. You are basically asking,  
"why are we protecting <x> when we aren't protecting <y>?". I would be 
asking, "look, we're protecting <x> and it's less sensitive data than 
<y>, why don't we put <z> controls in place to protect that data as 
well, or at least require VPN access to get to it?"

It's possible the application server can't handle things like user or 
IP-based ACLs and needs some external device to do so while the ERP 
software can do this internally. This is particularly common in older 
software and software intended for use in a trusted environment.

It could also be that you're looking at this strictly from an ingress 
perspective. Does the application firewall also protect the world, or the 
rest of your network, from damage if the application server is 
exploited?

kmw

-- 
Kevin Wilcox, GCIH
Network Infrastructure and Control Systems
Appalachian State University
828.262.6259

Attachment: signature.asc
Description: This is a digitally signed message part.