Firewall Wizards mailing list archives
Re[2]: Shared DMZ liability
From: Steve.Bleazard () wdr com
Date: Tue, 25 Aug 1998 08:14:26 +0700
Sharing a DMZ between multiple external vendors maybe in violation of the local telecomms laws preventing unlicensed entities from acting as telecomms providers. However, all is not lost, a shared DMZ can be setup using VLAN technology which only allows specified hosts to communicate even though they are on the same IP segment and hub. The hub in fact performs access control based on the MAC address. Steve ______________________________ Reply Separator _________________________________ Subject: Re: Shared DMZ liability Author: rick\.smith (rick_smith () securecomputing com) at unix/o2=mime Date: 8/22/98 4:12 AM At 01:22 PM 8/18/98 -0400, Allen Todd wrote:
I'm interested in whether anyone has any specific knowledge about corporate liablility resulting from the use of a shared DMZ for external data providers.
First of all, keep in mind that there's no network security mechanism that's going to keep a bunch of hosts like that from potentially attacking one another. The separate DMZs do raise the bar, but it's not clear this improves your legal liability situation. If everyone is on the same DMZ, then risk of one outsider attacking another is increased, since there's no independent security mechanism (i.e. firewall) separating them, and a firewall would probably increase the effort required for a successful attack. However, if someone performs a direct and unsophisticated attack from their host machine to a competitor's machine, and the attack is logged, then any logged IP addresses will point to the real attacker. This makes them the favored target of a lawsuit. This really happens: I've investigated that sort of thing. If the attacker is more clever and mounts the attack from another machine (yours, for example) or uses some other strategy to forge IP addresses, then the owner of the forged address becomes a more likely target of a lawsuit. If you use separate DMZs you probably increase the work required by outsiders to attack one another, and thus you probably decrease the likelihood of attacks. On the other hand, successful attacks will *have* to be mounted by penetrating one of your own machines, so logged attacks will point to *you* as the perpetrator. This makes you the prime target of the lawsuit if anything happens. So you decrease the likelihood of attacks (and the likelihood may be small anyway, depending on the group of outsiders involved) but you increase the likelihood that you'll be held responsible if an attack *does* occur. I expect this isn't the sort of answer you're looking for, but it's another way of looking at the problem. Rick. smith () securecomputing com
Current thread:
- Shared DMZ liability Allen Todd (Aug 19)
- Re: Shared DMZ liability Bennett Todd (Aug 19)
- Re: Shared DMZ liability David Collier-Brown (Aug 19)
- Re: Shared DMZ liability Frank Willoughby (Aug 19)
- Re: Shared DMZ liability Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: Shared DMZ liability James Wilson (Aug 23)
- Re: Shared DMZ liability Frank Willoughby (Aug 23)
- Re[2]: Shared DMZ liability Steve . Bleazard (Aug 25)
- Re: Re[2]: Shared DMZ liability Chad Schieken (Aug 25)
- Re[4]: Shared DMZ liability Steve . Bleazard (Aug 26)