Re: ASP/Hosting Architecture

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 2 Nov 2004, Don Kendrick wrote:

> Dear Wizards,
>
> Need some direction/advise from anyone that has worked in the
> development of a network/firewall architecture for an ASP or hosting
> company. I'm currently working on developing a plan for an organization
> that will host multiple organization's IT infrastructures.  Some of the
> organizations have a high risk tolerance and some have (or should have)
> a very low tolerance.
>
> When you look at developing a network/security architecture for an
> organization, you are usually looking at one organization's assets and
> can then apply the standards for tiering (presentation, application,
> and data) and segmentation based on criticality and confidentiality.
>
> The problem is how do we do this in an environment that also has to be
> segmented based on owner.  Things start to not scale well quickly. Lots
> of firewalls,  segmented SAN/NAS devices, segmented enterprise backup
> systems.  If you don't address some of this you run the risk of the
> weakest link being exploited to escalate into other more secure
> co-located systems that might share infrastructure.

You have a few choices, either make a limited number of zones, and
replicate the environment for that number (3 or 4 max) and place
organizations into a particular zone based on their self-confessed
tolerance, make the infrastructure as hardened as possible, make the
organizational stuff not able to talk to each other, and carry the risk
that's left, or build out each thing individually.  Which is right depends
heavily upon resources, security visibility and scale.

> I'm sure that there are some organizations with this type of problem
> that do it the wrong way, basically going flat with the tiering and/or
> data segmentation and only segmenting (maybe even only with VLANs) on
> the data owner (hosting client).

Yep, lots of places do it wrong.

> Is anyone doing it right? How do you make it scale? Any models, ideas?

It also depends on your idea of secure and what resources have to be
shared.  I happen to think multi-level secure systems work well for this
sort of things, Marcus probably doesn't agree at all.  We probably both
agree that the administrative overhead is pretty ugly though ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards