Re: Rethinking the DMZ

[Gary Flynn <flynngn () JMU EDU>]

Haines, Ena wrote:
> One can understand why the network gurus say we shouldn't do elaborate
> firewalling at the network level, but rather  close down the hosts. If a
> department has one or two servers, fine, let them be responsible for
> locking it down. If the IT dept has 250 servers managed by 3 or 4 admins,
> then what? Are any of your server admin teams happy with a system for
> managing the "personal firewall" on each server? Can you set it locally and
> forget it every time you deploy a new server? Don't your port requirements
> change as ours do when there's an app upgrade or a middleware upgrade, etc.?
>
> Some days it seems as though it's really about manageability.

Very true. Though if there are thousands of access rules that have
to keep pace with changes in hardware, software, service request,
and threat changes, manageability is going to be a problem no matter
who does it. The more granular the access controls, the more
overhead.

The systems administrators have the advantage of being more
knowledgeable about their systems and change plans than a network
or security administrator. If they don't, or if an organization's
leadership feels more comfortable with a third party controlling
network access, then the systems folks will have to constantly
interact with the network/security folks for access changes.

A hybrid solution may consist of the network/security administrators
controlling access into a sub-network using network firewalls
and the system administrators controlling network access from
adjacent systems in the same sub-network using host firewalls. This
distributes the administrative overhead, provides some separation
of network access control duties, and gives the systems administrators
some autonomy to make changes as needed.


--
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature