Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: David Byers <david.byers () LIU SE>
Date: Thu, 6 Sep 2012 20:41:18 +0200
Whether you have perimeter protection or not does not greatly impact the need for protection on each host. Chances are pretty good that eventually something inside your perimeter will become a malware-infested zombie, attacking anything and everything it can -- and your typical border firewall will sit there, oblivious. The wider your perimeter, the more likely this is to happen. So firewalling at the network level or no, you still need to lock down the hosts. Locking down the hosts doesn't necessarily mean deploying a "personal firewall". It could (and should) first and foremost mean ensuring that all accessible services are secure, and that only those services that need to be running, are running. Do that right, and the personal firewall becomes much simpler. This can be done with hundreds or thousands of servers. It's not *that* hard. It helps to have good configuration management tools, and a reasonable change control process in place. But even without that, it's doable with a fairly large number of servers (we manage pretty well). I am, by the way, not a network guru -- I'm first and foremost a security person. And I think that "defense in depth" are words to live by in the IT security domain. -- David Byers Head of Division Networking, IRT and Telephony Linköping University Sweden On 09/06/2012 07:53 PM, Haines, Ena wrote:
One can understand why the network gurus say we shouldn't do elaborate firewalling at the network level, but rather close down the hosts. If a department has one or two servers, fine, let them be responsible for locking it down. If the IT dept has 250 servers managed by 3 or 4 admins, then what? Are any of your server admin teams happy with a system for managing the "personal firewall" on each server? Can you set it locally and forget it every time you deploy a new server? Don't your port requirements change as ours do when there's an app upgrade or a middleware upgrade, etc.? Some days it seems as though it's really about manageability. /V. Ena Haines/ /Director of Information Technology/ /Teachers College, Columbia University/ /525 West 120th Street/ /New York, NY 10027/ /V: 212-678-3486/ /F: 212-678-3243/ On Tue, Sep 4, 2012 at 11:48 AM, Deke Kassabian <deke () isc upenn edu <mailto:deke () isc upenn edu>> wrote: I'm a fan of border firewalls when the border can be drawn around the application servers and the stored data that warrant a serious level of protection that can be defined in terms of allowed protocol set. If you twist my arm, maybe I can also include expected community of users by network address as a poor stand-in for expected community of people, but I'd rather handle that part by strong authentication and additional Identity and Access Management infrastructure. I'm less a fan of borders in some other situations, particularly when the idea is to draw it around a large enterprise such as a big university. The conceptual problem I have is that we are seeing huge growth in personally owned high function mobile devices that connect over both enterprise wireless networks and carrier 3G/4G networks. The same user on the same device would be "inside" one moment and "outside" the next, and may spend substantial time on other networks such as home networks or coffee shop networks where they can quickly go from clean to compromised. All my instincts tell me that enterprise borders are less helpful, and that I want our focus to be on placing well-designed protection very close to the resources (data, app servers) we want to protect and to treat all else as public and untrusted, even if a device happens to have an IP address at the moment that "belongs" to the University. I'm a fan of open networks, closed servers, protected sessions. On 9/4/12 10:50 AM, Julian Y Koh wrote: On Aug 30, 2012, at 16:09 , Youngquist, Jason R. wrote: Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives? We never did a full-blown DMZ. Firewalls are deployed where needed and/or required, but everything else is just out on public IP space and not firewalled. A border firewall of some sorts will likely be in our future, but we will not be doing a complete re-architecture of our network to accommodate it. -- Deke Kassabian, Senior Technology Director Information Systems and Computing, University of Pennsylvania
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ Joel Rosenblatt (Aug 30)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)