Re: firewall requirements for applications

[Charles Buchholtz <chip+educause () SEAS UPENN EDU>]

On Wed, Sep 01, 2010 at 01:13:09PM -0500, Shalla, Kevin wrote:
> We have an application that currently is protected by a firewall.  The
> application (Windows executable) resides on a file share, and data on a
> database server.  Managing the firewall for this application causes quite
> a bit of grief.  I recently asked why we needed to keep it behind the
> firewall, considering that we've got much more confidential data (our main
> ERP), which is available through any web browser and java to any computer
> on the Internet.  Is there some valid increased security risk to allowing
> access to a Windows executable versus a java application?

Here are some factors that may be involved in decision/policy to
require different levels of firewall for different applications:


Ingress restrictions

1) Do the applications have the same level of design / code review?

2) Do the applications have the same level of change management / review ?

3) Does the operating environment (OS, libraries, configuration) have
   the same security model / review?

4) Does the operating environment (OS, libraries, configuration) have
   the same change management / review?

5) What is the "security clearance level" of the people who have the
   ability to alter the application code and configuration?

6) What is the "security clearance level" of the people who have the
   ability to alter the operating environment?

7) Do the systems / applications have the same level of intrusion
   detection and intrusion prevention, both automated and human
   monitoring?


Egress restrictions

All of the above, plus

8) Do the systems have the same physical security?


--- Chip

Charles H. Buchholtz                    Director of Systems Programming
chip () seas upenn edu            School of Engineering and Applied Science
http://www.seas.upenn.edu/~chip           University of Pennsylvania