Firewall Wizards mailing list archives

Re: segmentation of DMZs

From: Carson Gaspar <carson () taltos org>
Date: Thu, 14 Nov 2002 08:42:46 -0500

--On Thursday, November 14, 2002 12:35 PM +0200 Shimon Silberschlag<shimons () bll co il> wrote:

As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like
to ask the group if they support/oppose segmenting even segments
conducting the same work to sub-segments.

Let's take the extreme cases, as a pedagogical exercise. I'll address yourspecific case below, if you want to skip the excercise ;-)


a) Everything on the same flat segment

Pro:

Easy address space allocation
Allows any application architecture
Low firewall port count
Simple routing
Low operational / debugging complexity

Con:

If any exposed service is compromised, you rely on host security to repellfurther attacks


b) Every system is on a seperate segment

Pro:

Every system must be compromised via the minimal exposed services to anexternal or already compromised system


Con:

Address space nightmare (can be solved with a bridging firewall)

Application architecture must be explicitly provisioned, every time itchanges (may be seen as a Pro)A sufficiently bad application architecture can require the inter-systemprotection to be effectively nill

Enormous firewall port count (802.1q helps)
Complex routing / bridging
High operational / debugging complexity

So, as usual, you have a set of tradeoffs. Increased security (withdiminishing returns), vs. increased operational and deployment costs.

In your case, seperating authenticated and non-authenticated services (orsensitive and non-sensitive) does not significantly increase the number ofcompartments, and does give a significant security benefit (in my opinion,of course). Assuming your deployed switching, routing, and firewalltechnologies support it, I'd say do it.

And a plug for my current favorite firewall vendor: Netscreen supportscomplex routing, virtual firewalls, bridging, and 802.1q. If you want to gotowards the compartmented extreme, they're a good fit.

I haven't actually seen one, much less used one, but the Cisco PIX switchblade may also be worth looking at.


--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
  - Re: Mainframes on the Net? Barney Wolff (Nov 13)
  - segmentation of DMZs Shimon Silberschlag (Nov 14)
    - Re: segmentation of DMZs Paul D. Robertson (Nov 14)
    - Re: segmentation of DMZs Carson Gaspar (Nov 14)
    - Re: segmentation of DMZs Mikael Olsson (Nov 16)
    - Re: segmentation of DMZs Carson Gaspar (Nov 17)
    - Re: segmentation of DMZs Miles Sabin (Nov 15)
    - RE: segmentation of DMZs Ofir Arkin (Nov 18)
  - Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- Re: Mainframes on the Net? R. DuFresne (Nov 13)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
  - RE: Mainframes on the Net? Paul D. Robertson (Nov 14)

(Thread continues...)