RE: Rationale of the great DMZ

["Scott, Richard" <Richard.Scott () BestBuy com>]

<snip> 

This is popular among several companies I've worked for and with. IMO it's 
A Good Thing, because it hopefully suggests that organizations (a)  want to 
improve security for their public-facing servers and (b) finally realize 
that there's no such thing as a sacrificial lamb host/server (if there ever 
were such things other than honeypots, I'm not certain I ever agreed with 
this).

Don't you think that eventually, enough organizations will be held 
accountable for attacks perpetrated from systems they are responsible for 
operating that all zones an organization operates will have to be more like 
what we've traditionally called trusted zones? Is it wrong to think that 
how we distinguish "trusted zones" would be a matter of (many) 
constituencies and AAA policy rather than a boolean "here's something we're 
willing to place at (greater) risk, and here's stuff we're not"?

Some companies are still using what we've traditionally called a DMZ but as 
a "dirty network". It's a place where they allow visitors, guests, any 3rd 
party who has authorized entry to their facility but no license/authority 
to use their trusted network. 

<snip>

This is an interesting point, however, it really depends on the application
scope and the intended architecture blue print and where you think the drive
to use such technology will take you.  I agree the sacrificial lamb is quite
poignant in today's world of high availability but the rationale back then
was a lot different.

> From what I see, the segregation that was first very much needed has not
become less and less needed.  In it's place we have enlarged our internal
networks, and because they are internal, for some reason, labeled them
secure.  Not the secure network is becoming more operationally architected
with DMZ and the DMZ is not blurred.  The firewall is becoming more like
Swiss cheese because of protocols that "float" on HTTP.  The rationale I see
being built is that, not since the secure network is secure, why is it such
a worry the DMZ and internal networks are migrating to become singular?

Yes, it is a good idea we move from the old building castles/moat idea but
we are not necessarily moving toward a multi layer operation either.  In my
opinion, behemoths tend build their DMZ's and then integrate them in to the
internal network, extending the perimeter security.  I personally think that
within time the rationale will look toward even more integrated apps and
drive what is really needed, multi layer security, with proper segregation
at the network layer.

"In addition to the compartmentalization of 
these people from the trusted network, they have more lax outbound policies 
- for example, one company does not allow outbound connections to IM or 
gotomypc or any peer to peer application (at least the ones they know how 
to block:-)  on their trusted network but allows these on their dirty
network. "


Right.  But when you have such a large company, a hosting company et al,
simply extending the perimeter doesn't work.  Indivudal networks and
applications need to be segregated.  I'd rather have those who need peer to
peer services to only have them, whilst being able to separate that from
other applications and networks that definitely do not need it.  By
extending the perimeter constantly, it becomes difficult to do.

Cheers
r.

Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards