Re[2]: Shared DMZ liability

[Steve.Bleazard () wdr com]

     Sharing a DMZ between multiple external vendors maybe in violation of 
     the local telecomms laws preventing unlicensed entities from acting as 
     telecomms providers.
     
     However, all is not lost, a shared DMZ can be setup using VLAN 
     technology which only allows specified hosts to communicate even 
     though they are on the same IP segment and hub.  The hub in fact 
     performs access control based on the MAC address.
     
     Steve


______________________________ Reply Separator _________________________________
Subject: Re: Shared DMZ liability
Author:  rick\.smith (rick_smith () securecomputing com) at unix/o2=mime
Date:    8/22/98 4:12 AM


At 01:22 PM 8/18/98 -0400, Allen Todd wrote:


> I'm interested in whether anyone has any specific 
> knowledge about corporate liablility resulting from
> the use of a shared DMZ for external data providers.

First of all, keep in mind that there's no network security mechanism
that's going to keep a bunch of hosts like that from potentially attacking
one another. The separate DMZs do raise the bar, but it's not clear this
improves your legal liability situation.

If everyone is on the same DMZ, then risk of one outsider attacking another
is increased, since there's no independent security mechanism (i.e.
firewall) separating them, and a firewall would probably increase the
effort required for a successful attack. However, if someone performs a
direct and unsophisticated attack from their host machine to a competitor's
machine, and the attack is logged, then any logged IP addresses will point
to the real attacker. This makes them the favored target of a lawsuit. This
really happens: I've investigated that sort of thing.

If the attacker is more clever and mounts the attack from another machine
(yours, for example) or uses some other strategy to forge IP addresses,
then the owner of the forged address becomes a more likely target of a
lawsuit.

If you use separate DMZs you probably increase the work required by
outsiders to attack one another, and thus you probably decrease the
likelihood of attacks. On the other hand, successful attacks will *have* to
be mounted by penetrating one of your own machines, so logged attacks will
point to *you* as the perpetrator. This makes you the prime target of the
lawsuit if anything happens. So you decrease the likelihood of attacks (and
the likelihood may be small anyway, depending on the group of outsiders
involved) but you increase the likelihood that you'll be held responsible
if an attack *does* occur.

I expect this isn't the sort of answer you're looking for, but it's another
way of looking at the problem.

Rick.
smith () securecomputing com