Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Mike Caudill <mike.caudill () DUKE EDU>
Date: Thu, 6 Sep 2012 18:24:48 +0000
Hi Ena, The problem with the concentric circles approach is that once you get past the firewall, without other layered security protections one "trusted" host can easily attack and infect another "trusted" host. And if you look at the statistics on what AV software is actually able to catch, it does not even come close to being 100% effective. A perimeter firewall can perform some useful functions, but can also introduce problems as well. You really need to have a more thorough approach of network, application and security baselines, host-based firewalls, network firewalls, log analysis, netflow analysis, and others. There are no silver bullets here no matter what your vendors may tell you. No firewall or IPS will catch everything. And then if you do too much from a central choke point then you end up with a config that no one fully understands or wants to ever touch for fear that something might break. The piece that you did hit on though was scalability and manageability. Whatever the architecture you go with, make sure that it is both scalable and manageable. There are products out there that will help visualize your networks and model proposed changes which can help in managing a complex set of rules across multiple devices. Mike Caudill Assistant Director, Cyber Defense and Response Duke Medicine Email: mike.caudill () duke edu<mailto:mike.caudill () duke edu> Phone: +1-919-668-2144 / +1 919-522-4931 (cell) From: <Haines>, Ena <ena () TC COLUMBIA EDU<mailto:ena () TC COLUMBIA EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, September 6, 2012 1:53 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Rethinking the DMZ One can understand why the network gurus say we shouldn't do elaborate firewalling at the network level, but rather close down the hosts. If a department has one or two servers, fine, let them be responsible for locking it down. If the IT dept has 250 servers managed by 3 or 4 admins, then what? Are any of your server admin teams happy with a system for managing the "personal firewall" on each server? Can you set it locally and forget it every time you deploy a new server? Don't your port requirements change as ours do when there's an app upgrade or a middleware upgrade, etc.? Some days it seems as though it's really about manageability. V. Ena Haines Director of Information Technology Teachers College, Columbia University 525 West 120th Street New York, NY 10027 V: 212-678-3486 F: 212-678-3243 On Tue, Sep 4, 2012 at 11:48 AM, Deke Kassabian <deke () isc upenn edu<mailto:deke () isc upenn edu>> wrote: I'm a fan of border firewalls when the border can be drawn around the application servers and the stored data that warrant a serious level of protection that can be defined in terms of allowed protocol set. If you twist my arm, maybe I can also include expected community of users by network address as a poor stand-in for expected community of people, but I'd rather handle that part by strong authentication and additional Identity and Access Management infrastructure. I'm less a fan of borders in some other situations, particularly when the idea is to draw it around a large enterprise such as a big university. The conceptual problem I have is that we are seeing huge growth in personally owned high function mobile devices that connect over both enterprise wireless networks and carrier 3G/4G networks. The same user on the same device would be "inside" one moment and "outside" the next, and may spend substantial time on other networks such as home networks or coffee shop networks where they can quickly go from clean to compromised. All my instincts tell me that enterprise borders are less helpful, and that I want our focus to be on placing well-designed protection very close to the resources (data, app servers) we want to protect and to treat all else as public and untrusted, even if a device happens to have an IP address at the moment that "belongs" to the University. I'm a fan of open networks, closed servers, protected sessions. On 9/4/12 10:50 AM, Julian Y Koh wrote: On Aug 30, 2012, at 16:09 , Youngquist, Jason R. wrote: Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives? We never did a full-blown DMZ. Firewalls are deployed where needed and/or required, but everything else is just out on public IP space and not firewalled. A border firewall of some sorts will likely be in our future, but we will not be doing a complete re-architecture of our network to accommodate it. -- Deke Kassabian, Senior Technology Director Information Systems and Computing, University of Pennsylvania
Current thread:
- Rethinking the DMZ Youngquist, Jason R. (Aug 30)
- Re: Rethinking the DMZ Jeff Moore (Aug 30)
- Re: Rethinking the DMZ Joel Rosenblatt (Aug 30)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- <Possible follow-ups>
- Re: Rethinking the DMZ Joe St Sauver (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)