Firewall Wizards mailing list archives
Re: segmentation of DMZs
From: Carson Gaspar <carson () taltos org>
Date: Thu, 14 Nov 2002 08:42:46 -0500
--On Thursday, November 14, 2002 12:35 PM +0200 Shimon Silberschlag <shimons () bll co il> wrote:
As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like to ask the group if they support/oppose segmenting even segments conducting the same work to sub-segments.
Let's take the extreme cases, as a pedagogical exercise. I'll address your specific case below, if you want to skip the excercise ;-)
a) Everything on the same flat segment Pro: Easy address space allocation Allows any application architecture Low firewall port count Simple routing Low operational / debugging complexity Con:If any exposed service is compromised, you rely on host security to repell further attacks
b) Every system is on a seperate segment Pro:Every system must be compromised via the minimal exposed services to an external or already compromised system
Con: Address space nightmare (can be solved with a bridging firewall)Application architecture must be explicitly provisioned, every time it changes (may be seen as a Pro) A sufficiently bad application architecture can require the inter-system protection to be effectively nill
Enormous firewall port count (802.1q helps) Complex routing / bridging High operational / debugging complexitySo, as usual, you have a set of tradeoffs. Increased security (with diminishing returns), vs. increased operational and deployment costs.
In your case, seperating authenticated and non-authenticated services (or sensitive and non-sensitive) does not significantly increase the number of compartments, and does give a significant security benefit (in my opinion, of course). Assuming your deployed switching, routing, and firewall technologies support it, I'd say do it.
And a plug for my current favorite firewall vendor: Netscreen supports complex routing, virtual firewalls, bridging, and 802.1q. If you want to go towards the compartmented extreme, they're a good fit.
I haven't actually seen one, much less used one, but the Cisco PIX switch blade may also be worth looking at.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Barney Wolff (Nov 13)
- segmentation of DMZs Shimon Silberschlag (Nov 14)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)