Re: Shared DMZ liability

[Bennett Todd <bet () mordor net>]

1998-08-18-13:22:05 Allen Todd:
> I'm interested in whether anyone has any specific knowledge about corporate
> liablility resulting from the use of a shared DMZ for external data
> providers.

If it's not in the contract, there isn't guaranteed to be such an obligation,
though of course as always anybody can sue for anything.

The data providers I've worked with actually expect you to just hang the
gateway machine[s] right on your main company net with no firewall at all.

> Currently, we setup a seperate DMZ for each external vendor but we are under
> management pressure to reduce costs for a remote office by consolidating
> multiple vendors onto a single interface.

I've said it before, I think it's a crying shame you can't configure up a
2500-series with say 16 10baseT ports; for this kind of firewalling, where you
NAT every port, and apply filtering rules that block every protocol except
outbound ssh, it could easily handle the traffic, and that would get the cost
per port right down.

> I am worried that the vendors will be able to see each others traffic on the
> DMZ and what kind of exposure this would bring to my company.

I'd also be annoyed at the weakened controls it'd give me.

If forced by circumstance to hang multiple vendors off the same interface, I'd
assign multiple IPs on multiple networks to that interface, and run multiple
networks over the same ether. Not a very tight barrier, but better than
nothing, and it would let you impose router-level access controls.

-Bennett