Firewall Wizards mailing list archives
Re: Flat vs Segmented DMZ's
From: Carson Gaspar <carson () taltos org>
Date: Wed, 06 Nov 2002 18:18:28 -0500
--On Wednesday, November 06, 2002 8:28 AM -0800 WhtWlf2001 <whtwlf2001 () yahoo com> wrote:
I'm hoping to get some feedback (Pros/Cons) from the list members on a Flat vs. Segmented DMZ structure. We currently have about 20 hosts segmented off to 4-5 different DMZ interfaces on a CP firewall. With the exception of having a seperate MGMT DMZ, I'm curious about the benefits/detriments to having this segmented infrastructure. Today we offer only limited web services (http,ftp,owa) via the web.
A fairly standard web app has multiple layers: the front-end web server, some middleware, perhaps some AAA software, and a database.
So you run a web server. That means it is very likely to get hacked (IIS, Apache, Sun ONE - they have all had nasty security bugs). So now your web server has an intruder - what can they do? They can almost certainly do anything your web app can do. This means the hacker can communicate with the other web app systems, via the same channels (and with the same authentication) as your web app. Packet-filtering compartmentalization (by itself) does not solve this problem. Something like a database proxy that enforces read-only access might, however. Also, assuming that _all_ of your components are compartmentalized, the hacker may flood one to three compartments, but still may not be able to get into your main network. Of course, if your database servers are on your main backbone...
On the other hand, say your database software is secure, but the system it's running on has a buggy telnet daemon enabled? In a compatmentalized system, the hacker can't jump from the web server to the database server. In a flat design, they can.
So the multiple DMZ architecture reduces your risks. All else being equal, I _highly_ recommend it. It does _not_, however, remove the need for a thorough application security analysis.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Flat vs Segmented DMZ's WhtWlf2001 (Nov 06)
- Re: Flat vs Segmented DMZ's Paul Robertson (Nov 06)
- Re: Flat vs Segmented DMZ's Dave Piscitello (Nov 06)
- Re: Flat vs Segmented DMZ's Mikael Olsson (Nov 06)
- Re: Flat vs Segmented DMZ's Carson Gaspar (Nov 06)
- Re: Flat vs Segmented DMZ's Luca Berra (Nov 21)
- <Possible follow-ups>
- RE: Flat vs Segmented DMZ's Scott, Richard (Nov 07)