Firewall Wizards mailing list archives
RE: Rationale of the great DMZ
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Mon, 30 Sep 2002 15:53:54 -0500
<snip> This is popular among several companies I've worked for and with. IMO it's A Good Thing, because it hopefully suggests that organizations (a) want to improve security for their public-facing servers and (b) finally realize that there's no such thing as a sacrificial lamb host/server (if there ever were such things other than honeypots, I'm not certain I ever agreed with this). Don't you think that eventually, enough organizations will be held accountable for attacks perpetrated from systems they are responsible for operating that all zones an organization operates will have to be more like what we've traditionally called trusted zones? Is it wrong to think that how we distinguish "trusted zones" would be a matter of (many) constituencies and AAA policy rather than a boolean "here's something we're willing to place at (greater) risk, and here's stuff we're not"? Some companies are still using what we've traditionally called a DMZ but as a "dirty network". It's a place where they allow visitors, guests, any 3rd party who has authorized entry to their facility but no license/authority to use their trusted network. <snip> This is an interesting point, however, it really depends on the application scope and the intended architecture blue print and where you think the drive to use such technology will take you. I agree the sacrificial lamb is quite poignant in today's world of high availability but the rationale back then was a lot different.
From what I see, the segregation that was first very much needed has not
become less and less needed. In it's place we have enlarged our internal networks, and because they are internal, for some reason, labeled them secure. Not the secure network is becoming more operationally architected with DMZ and the DMZ is not blurred. The firewall is becoming more like Swiss cheese because of protocols that "float" on HTTP. The rationale I see being built is that, not since the secure network is secure, why is it such a worry the DMZ and internal networks are migrating to become singular? Yes, it is a good idea we move from the old building castles/moat idea but we are not necessarily moving toward a multi layer operation either. In my opinion, behemoths tend build their DMZ's and then integrate them in to the internal network, extending the perimeter security. I personally think that within time the rationale will look toward even more integrated apps and drive what is really needed, multi layer security, with proper segregation at the network layer. "In addition to the compartmentalization of these people from the trusted network, they have more lax outbound policies - for example, one company does not allow outbound connections to IM or gotomypc or any peer to peer application (at least the ones they know how to block:-) on their trusted network but allows these on their dirty network. " Right. But when you have such a large company, a hosting company et al, simply extending the perimeter doesn't work. Indivudal networks and applications need to be segregated. I'd rather have those who need peer to peer services to only have them, whilst being able to separate that from other applications and networks that definitely do not need it. By extending the perimeter constantly, it becomes difficult to do. Cheers r. Richard Scott INFORMATION SECURITY Tel: (001) -952-324-0697 Fax: (001) -952-996-4830 Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Rationale of the great DMZ Dave Piscitello (Sep 27)
- <Possible follow-ups>
- RE: Rationale of the great DMZ Scott, Richard (Sep 30)