Educause Security Discussion mailing list archives
Re: firewall requirements for applications
From: Charles Buchholtz <chip+educause () SEAS UPENN EDU>
Date: Wed, 1 Sep 2010 17:57:24 -0400
On Wed, Sep 01, 2010 at 01:13:09PM -0500, Shalla, Kevin wrote:
We have an application that currently is protected by a firewall. The application (Windows executable) resides on a file share, and data on a database server. Managing the firewall for this application causes quite a bit of grief. I recently asked why we needed to keep it behind the firewall, considering that we've got much more confidential data (our main ERP), which is available through any web browser and java to any computer on the Internet. Is there some valid increased security risk to allowing access to a Windows executable versus a java application?
Here are some factors that may be involved in decision/policy to require different levels of firewall for different applications: Ingress restrictions 1) Do the applications have the same level of design / code review? 2) Do the applications have the same level of change management / review ? 3) Does the operating environment (OS, libraries, configuration) have the same security model / review? 4) Does the operating environment (OS, libraries, configuration) have the same change management / review? 5) What is the "security clearance level" of the people who have the ability to alter the application code and configuration? 6) What is the "security clearance level" of the people who have the ability to alter the operating environment? 7) Do the systems / applications have the same level of intrusion detection and intrusion prevention, both automated and human monitoring? Egress restrictions All of the above, plus 8) Do the systems have the same physical security? --- Chip Charles H. Buchholtz Director of Systems Programming chip () seas upenn edu School of Engineering and Applied Science http://www.seas.upenn.edu/~chip University of Pennsylvania
Current thread:
- firewall requirements for applications Shalla, Kevin (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)
- Re: firewall requirements for applications Jason Testart (Sep 01)
- Re: firewall requirements for applications Kevin Wilcox (Sep 01)
- Re: firewall requirements for applications Charles Buchholtz (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)