Re: Rethinking the DMZ

[David Byers <david.byers () LIU SE>]

Whether you have perimeter protection or not does not greatly impact the
need for protection on each host. Chances are pretty good that
eventually something inside your perimeter will become a
malware-infested zombie, attacking anything and everything it can -- and
your typical border firewall will sit there, oblivious. The wider your
perimeter, the more likely this is to happen.

So firewalling at the network level or no, you still need to lock down
the hosts.

Locking down the hosts doesn't necessarily mean deploying a "personal
firewall". It could (and should) first and foremost mean ensuring that
all accessible services are secure, and that only those services that
need to be running, are running. Do that right, and the personal
firewall becomes much simpler.

This can be done with hundreds or thousands of servers. It's not *that*
hard. It helps to have good configuration management tools, and a
reasonable change control process in place. But even without that, it's
doable with a fairly large number of servers (we manage pretty well).

I am, by the way, not a network guru -- I'm first and foremost a
security person. And I think that "defense in depth" are words to live
by in the IT security domain.

-- 
David Byers
Head of Division
Networking, IRT and Telephony
Linköping University
Sweden



On 09/06/2012 07:53 PM, Haines, Ena wrote:
> One can understand why the network gurus say we shouldn't do elaborate
> firewalling at the network level, but rather  close down the hosts. If
> a department has one or two servers, fine, let them be responsible for
> locking it down. If the IT dept has 250 servers managed by 3 or 4
> admins, then what? Are any of your server admin teams happy with a
> system for managing the "personal firewall" on each server? Can you
> set it locally and forget it every time you deploy a new server? Don't
> your port requirements change as ours do when there's an app upgrade
> or a middleware upgrade, etc.?
>
> Some days it seems as though it's really about manageability.
>
> /V. Ena Haines/
> /Director of Information Technology/
> /Teachers College, Columbia University/
> /525 West 120th Street/
> /New York, NY
> 10027/
> /V: 212-678-3486/
> /F: 212-678-3243/
>
>
>
> On Tue, Sep 4, 2012 at 11:48 AM, Deke Kassabian <deke () isc upenn edu
> <mailto:deke () isc upenn edu>> wrote:
>
>     I'm a fan of border firewalls when the border can be drawn around
>     the application servers and the stored data that warrant a serious
>     level of protection that can be defined in terms of allowed
>     protocol set. If you twist my arm, maybe I can also include
>     expected community of users by network address as a poor stand-in
>     for expected community of people, but I'd rather handle that part
>     by strong authentication and additional Identity and Access
>     Management infrastructure.
>
>     I'm less a fan of borders in some other situations, particularly
>     when the idea is to draw it around a large enterprise such as a
>     big university. The conceptual problem I have is that we are
>     seeing huge growth in personally owned high function mobile
>     devices that connect over both enterprise wireless networks and
>     carrier 3G/4G networks. The same user on the same device would be
>     "inside" one moment and "outside" the next, and may spend
>     substantial time on other networks such as home networks or coffee
>     shop networks where they can quickly go from clean to compromised.
>
>     All my instincts tell me that enterprise borders are less helpful,
>     and that I want our focus to be on placing well-designed
>     protection very close to the resources (data, app servers) we want
>     to protect and to treat all else as public and untrusted, even if
>     a device happens to have an IP address at the moment that
>     "belongs" to the University.
>
>     I'm a fan of open networks, closed servers, protected sessions.
>
>
>
>     On 9/4/12 10:50 AM, Julian Y Koh wrote:
>
>         On Aug 30, 2012, at 16:09 , Youngquist, Jason R. wrote:
>
>
>             Given current system requirements and the evolution of
>             security, are the reasons for setting up a DMZ 15 years
>             ago still valid, and is the value of maintaining a DMZ
>             worth the associated costs and if not, what are the
>             alternatives?
>
>
>         We never did a full-blown DMZ.  Firewalls are deployed where
>         needed and/or required, but everything else is just out on
>         public IP space and not firewalled.
>
>         A border firewall of some sorts will likely be in our future,
>         but we will not be doing a complete re-architecture of our
>         network to accommodate it.
>
>
>
>     -- 
>
>     Deke Kassabian,  Senior Technology Director
>     Information Systems and Computing, University of Pennsylvania

Attachment: signature.asc
Description: OpenPGP digital signature