Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 6 Sep 2012 15:55:22 -0400
Haines, Ena wrote:
One can understand why the network gurus say we shouldn't do elaborate firewalling at the network level, but rather close down the hosts. If a department has one or two servers, fine, let them be responsible for locking it down. If the IT dept has 250 servers managed by 3 or 4 admins, then what? Are any of your server admin teams happy with a system for managing the "personal firewall" on each server? Can you set it locally and forget it every time you deploy a new server? Don't your port requirements change as ours do when there's an app upgrade or a middleware upgrade, etc.? Some days it seems as though it's really about manageability.
Very true. Though if there are thousands of access rules that have to keep pace with changes in hardware, software, service request, and threat changes, manageability is going to be a problem no matter who does it. The more granular the access controls, the more overhead. The systems administrators have the advantage of being more knowledgeable about their systems and change plans than a network or security administrator. If they don't, or if an organization's leadership feels more comfortable with a third party controlling network access, then the systems folks will have to constantly interact with the network/security folks for access changes. A hybrid solution may consist of the network/security administrators controlling access into a sub-network using network firewalls and the system administrators controlling network access from adjacent systems in the same sub-network using host firewalls. This distributes the administrative overhead, provides some separation of network access control duties, and gives the systems administrators some autonomy to make changes as needed. -- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)