Re: ASP/Hosting Architecture

["Kerry Thompson" <kez () crypt gen nz>]

Paul D. Robertson said:
> You have a few choices, either make a limited number of zones, and
> replicate the environment for that number (3 or 4 max) and place
> organizations into a particular zone based on their self-confessed
> tolerance, make the infrastructure as hardened as possible, make the
> organizational stuff not able to talk to each other, and carry the risk
> that's left, or build out each thing individually.  Which is right depends
> heavily upon resources, security visibility and scale.

Yes, Other technical controls can help, VLANs and the firewall-on-a-stick
architecture can help scalability, as can deploying larger firewalls with
doman/virtualization capability ( Netscreen, Cisco FWSM ).

> > I'm sure that there are some organizations with this type of problem
> > that do it the wrong way, basically going flat with the tiering and/or
> > data segmentation and only segmenting (maybe even only with VLANs) on
> > the data owner (hosting client).
>
> Yep, lots of places do it wrong.

The few that I've seen rely on host security, particularly in the
presentation and application layers. Few implement security on back-end
storage systems, they usually assume that the threat has been diluted at
the lower layers.

> > Is anyone doing it right? How do you make it scale? Any models, ideas?
>
> It also depends on your idea of secure and what resources have to be
> shared.  I happen to think multi-level secure systems work well for this
> sort of things, Marcus probably doesn't agree at all.  We probably both
> agree that the administrative overhead is pretty ugly though ;)

True. I've done a fair bit of work on SELinux and while it can be used to
provide very scalable host security the learning curve can be steep. Its
capable of MLS, but that's rarely deployed in favour of plain MAC. The MAC
model in SELinux offers good process separation, potentially down to the
network level on a single server. This is a good alternative to deploying
multiple DMZ segments for all of the different types of servers that you
want to separate from each other.

For instance, the SELinux policy is configured to permit web server
processes to only read files and send them back to the client and nothing
else. No web server process ( or sub-process ) can open a network
connection, access any other files, or even invoke a shell unless you
explicitly permit it. So this sort of approach can save you from deploying
a separate server for Email, DNS, Web, FTP, .. each on a different DMZ to
stop a hacked server from attacking the others.

One of the biggest problems in the ISP/ASP environment is auditability.
The customers always want proof ( or at least a high level of certainty )
that their host environment is secure. And as the number of distinct
tiered networks climbs over the 100 mark this becomes very difficult to
do.

Kerry


-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kez () crypt gen nz
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards