Re: Rethinking the DMZ

[Joe St Sauver <joe () OREGON UOREGON EDU>]

David Byers <david.byers () LIU SE> commented:

#Whether you have perimeter protection or not does not greatly impact the
#need for protection on each host. Chances are pretty good that
#eventually something inside your perimeter will become a
#malware-infested zombie, attacking anything and everything it can -- and
#your typical border firewall will sit there, oblivious. The wider your
#perimeter, the more likely this is to happen.

In a higher education context, this is what I call the "20,000 of your
closest friends" problem (slide 56 of 
http://pages.uoregon.edu/joe/architectures/architecture.pdf ), e.g., a
perimeter firewall at even a mid-size university can result in a population
of "trusted insiders" (users and/or hosts) bigger than some small cities :-;

#So firewalling at the network level or no, you still need to lock down
#the hosts.

Precisely.

#Locking down the hosts doesn't necessarily mean deploying a "personal
#firewall". It could (and should) first and foremost mean ensuring that
#all accessible services are secure, and that only those services that
#need to be running, are running. Do that right, and the personal
#firewall becomes much simpler.

Again, this is exactly right in my opinion.

Regards,

Joe