Re: Rethinking the DMZ

[John Ladwig <John.Ladwig () SO MNSCU EDU>]

Side thread on the topic; apologies.

We've looked a bit at Microsoft's Server and Domain Isolation and DirectAccess systems, which offer the promise of some 
of this host-firewall/control close to the server.

Has anyone ever had a conversation with, say an internal or other IT-audit group about separation of duties issues with 
server (or Active Directory) admins controlling network traffic policy, instead of a separate network or Infosec group?

   -jml

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Haines, 
Ena
Sent: Thursday, September 06, 2012 12:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Rethinking the DMZ

One can understand why the network gurus say we shouldn't do elaborate firewalling at the network level, but rather  
close down the hosts. If a department has one or two servers, fine, let them be responsible for locking it down. If the 
IT dept has 250 servers managed by 3 or 4 admins, then what? Are any of your server admin teams happy with a system for 
managing the "personal firewall" on each server? Can you set it locally and forget it every time you deploy a new 
server? Don't your port requirements change as ours do when there's an app upgrade or a middleware upgrade, etc.?

Some days it seems as though it's really about manageability.

V. Ena Haines
Director of Information Technology
Teachers College, Columbia University
525 West 120th Street
New York, NY
10027
V: 212-678-3486
F: 212-678-3243


On Tue, Sep 4, 2012 at 11:48 AM, Deke Kassabian <deke () isc upenn edu<mailto:deke () isc upenn edu>> wrote:
I'm a fan of border firewalls when the border can be drawn around the application servers and the stored data that 
warrant a serious level of protection that can be defined in terms of allowed protocol set. If you twist my arm, maybe 
I can also include expected community of users by network address as a poor stand-in for expected community of people, 
but I'd rather handle that part by strong authentication and additional Identity and Access Management infrastructure.

I'm less a fan of borders in some other situations, particularly when the idea is to draw it around a large enterprise 
such as a big university. The conceptual problem I have is that we are seeing huge growth in personally owned high 
function mobile devices that connect over both enterprise wireless networks and carrier 3G/4G networks. The same user 
on the same device would be "inside" one moment and "outside" the next, and may spend substantial time on other 
networks such as home networks or coffee shop networks where they can quickly go from clean to compromised.

All my instincts tell me that enterprise borders are less helpful, and that I want our focus to be on placing 
well-designed protection very close to the resources (data, app servers) we want to protect and to treat all else as 
public and untrusted, even if a device happens to have an IP address at the moment that "belongs" to the University.

I'm a fan of open networks, closed servers, protected sessions.



On 9/4/12 10:50 AM, Julian Y Koh wrote:
On Aug 30, 2012, at 16:09 , Youngquist, Jason R. wrote:

Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago 
still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives?

We never did a full-blown DMZ.  Firewalls are deployed where needed and/or required, but everything else is just out on 
public IP space and not firewalled.

A border firewall of some sorts will likely be in our future, but we will not be doing a complete re-architecture of 
our network to accommodate it.


--
Deke Kassabian,  Senior Technology Director
Information Systems and Computing, University of Pennsylvania