Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shared DMZ liability

From: David Collier-Brown <davecb () canada sun com>
Date: Wed, 19 Aug 1998 11:38:00 -0400
Allen Todd wrote:

Currently, we setup a seperate DMZ for each external
vendor but we are under management pressure to reduce
costs for a remote office by consolidating multiple
vendors onto a single interface.  I am worried that
the vendors will be able to see each others traffic
on the DMZ and what kind of exposure this would
bring to my company.


        This is a classical problem in higher security
        environments: you have different ``categories''
        of people working with you, probably with
        different ``levels'' of trust.

        This is the problem the ``orange book'' folks
        set out to deal with in the military world,
        with moderate success: my old Multics machine
        actually isolated uncooperative groups without
        making it intrusive (although I discovered later
        that the administration required to do so
        nicely was darn hard!)

        To answer your question literally, the exposure to
        your company is

                Anything you think you've exposed to one
                vendor is really exposed to all,
        and
                Anything one vendor exposes to you, you've
                transitively exposed to all. Without their
                consent.

        If and only if (your security policy is sufficient to
        define the exposure && you and all vendors agree to the
        policy && your implementation is error-free) can
        you say you've not increased your exposure to the 
        upper bound I gave above.

        Personally, I would fear that the lawyer costs
        of getting the second correctness criteria fulfilled
        would exceed the proposed savings by several orders
        of magnitude.  I suspect I could do the third with
        trusted Slolaris/HockyPUckX/whatever, at a cost that
        would be comparable to the savings.  The first criteria
        I won't even speculate on...


Thanks for any input or references,

        
 US Government criteria for email via untrusted third 
parties (i.e., your DMZ (:-))
http://www.l-3com.com/cs-east/programs/infosec/ans/SMGREPORT.html

  The rating process for Trusted systems:
http://www.radium.ncsc.mil/tpep

  The Orange Book itself, in all its obfuscatory glory:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

--dave
-- 
David Collier-Brown,  | Cherish your enemies.  They're harder to
185 Ellerslie Ave.,   | come by than friends and more motivated.
Willowdale, Ontario   | davecb () canada sun com, hobbes.ss.org
N2M 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb
Previous By Date Next
Previous By Thread Next

Current thread: