Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 6 Sep 2012 12:18:10 -0700
David Byers <david.byers () LIU SE> commented: #Whether you have perimeter protection or not does not greatly impact the #need for protection on each host. Chances are pretty good that #eventually something inside your perimeter will become a #malware-infested zombie, attacking anything and everything it can -- and #your typical border firewall will sit there, oblivious. The wider your #perimeter, the more likely this is to happen. In a higher education context, this is what I call the "20,000 of your closest friends" problem (slide 56 of http://pages.uoregon.edu/joe/architectures/architecture.pdf ), e.g., a perimeter firewall at even a mid-size university can result in a population of "trusted insiders" (users and/or hosts) bigger than some small cities :-; #So firewalling at the network level or no, you still need to lock down #the hosts. Precisely. #Locking down the hosts doesn't necessarily mean deploying a "personal #firewall". It could (and should) first and foremost mean ensuring that #all accessible services are secure, and that only those services that #need to be running, are running. Do that right, and the personal #firewall becomes much simpler. Again, this is exactly right in my opinion. Regards, Joe
Current thread:
- Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)