Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 6 Sep 2012 14:51:45 -0400
On 9/6/2012 2:24 PM, Mike Caudill wrote:
Hi Ena, The problem with the concentric circles approach is that once you get past the firewall, without other layered security protections one "trusted" host can easily attack and infect another "trusted" host. And if you look at the statistics on what AV software is actually able to catch, it does not even come close to being 100% effective. A perimeter firewall can perform some useful functions, but can also introduce problems as well.
That's the classic "onion" model. I prefer the "garlic" model... separate layered cloves of application areas with their own common core, wrapped around a common infrastructure. We do this internally with VRFs (minimizes the collateral damage of a single compromised host to the container).
All my instincts tell me that enterprise borders are less helpful, and that I want our focus to be on placing well-designed protection very close to the resources (data, app servers) we want to protect and to treat all else as public and untrusted, even if a device happens to have an IP address at the moment that "belongs" to the University.
http://www.internetworldstats.com/stats.htm says the Dec 31 2011 internet user population was 2,267,233,742. Should they all have access to your front door? Can they all try the lock?
I'm a fan of open networks, closed servers, protected sessions.
Using 1918 addresses internally with a default-deny policy eliminates the knocking potential to everything except your static-NAT'ed servers. That's a whale of a risk exposure reduction with a simple perimeter firewall :) Now port-restrict the openings at the perimeter, or as discussed earlier, run the public-facing side through an F5/load-balancer/firewall to get to a further closed back-end for even more reduction. Or join the other lemmings and throw it all up in the cloud and let someone else worry about it :) Just be sure to duck the auditors :) Jeff
Current thread:
- Rethinking the DMZ Youngquist, Jason R. (Aug 30)
- Re: Rethinking the DMZ Jeff Moore (Aug 30)
- Re: Rethinking the DMZ Joel Rosenblatt (Aug 30)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- <Possible follow-ups>
- Re: Rethinking the DMZ Joe St Sauver (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)