Educause Security Discussion mailing list archives

Re: Rethinking the DMZ

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 6 Sep 2012 14:51:45 -0400

On 9/6/2012 2:24 PM, Mike Caudill wrote:

Hi Ena,

The problem with the concentric circles approach is that once you get past the
firewall, without other layered security protections one "trusted" host can easily
attack and infect another "trusted" host.  And if you look at the statistics on what
AV software is actually able to catch, it does not even come close to being 100%
effective.  A perimeter firewall can perform some useful functions, but can also
introduce problems as well.


That's the classic "onion" model.  I prefer the "garlic" model...  separate layered
cloves of application areas with their own common core, wrapped around a common
infrastructure.  We do this internally with VRFs (minimizes the collateral damage of a
single compromised host to the container).

    All my instincts tell me that enterprise borders are less helpful, and that I want
    our focus to be on placing well-designed protection very close to the resources
    (data, app servers) we want to protect and to treat all else as public and
    untrusted, even if a device happens to have an IP address at the moment that
    "belongs" to the University.


http://www.internetworldstats.com/stats.htm says the Dec 31 2011 internet user
population was 2,267,233,742.  Should they all have access to your front door?  Can they
all try the lock?


    I'm a fan of open networks, closed servers, protected sessions.


Using 1918 addresses internally with a default-deny policy eliminates the knocking
potential to everything except your static-NAT'ed servers.  That's a whale of a risk
exposure reduction with a simple perimeter firewall :)

Now port-restrict the openings at the perimeter, or as discussed earlier, run the
public-facing side through an F5/load-balancer/firewall to get to a further closed
back-end for even more reduction.

Or join the other lemmings and throw it all up in the cloud and let someone else worry
about it :)  Just be sure to duck the auditors :)

Jeff

Current thread:

Rethinking the DMZ Youngquist, Jason R. (Aug 30)
- Re: Rethinking the DMZ Jeff Moore (Aug 30)
- Re: Rethinking the DMZ Joel Rosenblatt (Aug 30)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
  - Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
  - Re: Rethinking the DMZ Deke Kassabian (Sep 04)
    - Re: Rethinking the DMZ Haines, Ena (Sep 06)
    - Re: Rethinking the DMZ John Ladwig (Sep 06)
    - Re: Rethinking the DMZ Mike Caudill (Sep 06)
    - Re: Rethinking the DMZ Jeff Kell (Sep 06)
    - Re: Rethinking the DMZ Mike Caudill (Sep 06)
    - Re: Rethinking the DMZ David Byers (Sep 06)
    - Re: Rethinking the DMZ Justin Azoff (Sep 06)
    - Re: Rethinking the DMZ Harry Hoffman (Sep 06)
    - Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Brian Helman (Sep 10)
- <Possible follow-ups>
- Re: Rethinking the DMZ Joe St Sauver (Sep 06)
  - Re: Rethinking the DMZ Harry Hoffman (Sep 06)