Firewall Wizards mailing list archives
Re: Shared DMZ liability
From: Bennett Todd <bet () mordor net>
Date: Wed, 19 Aug 1998 11:42:32 -0400
1998-08-18-13:22:05 Allen Todd:
I'm interested in whether anyone has any specific knowledge about corporate liablility resulting from the use of a shared DMZ for external data providers.
If it's not in the contract, there isn't guaranteed to be such an obligation, though of course as always anybody can sue for anything. The data providers I've worked with actually expect you to just hang the gateway machine[s] right on your main company net with no firewall at all.
Currently, we setup a seperate DMZ for each external vendor but we are under management pressure to reduce costs for a remote office by consolidating multiple vendors onto a single interface.
I've said it before, I think it's a crying shame you can't configure up a 2500-series with say 16 10baseT ports; for this kind of firewalling, where you NAT every port, and apply filtering rules that block every protocol except outbound ssh, it could easily handle the traffic, and that would get the cost per port right down.
I am worried that the vendors will be able to see each others traffic on the DMZ and what kind of exposure this would bring to my company.
I'd also be annoyed at the weakened controls it'd give me. If forced by circumstance to hang multiple vendors off the same interface, I'd assign multiple IPs on multiple networks to that interface, and run multiple networks over the same ether. Not a very tight barrier, but better than nothing, and it would let you impose router-level access controls. -Bennett
Current thread:
- Shared DMZ liability Allen Todd (Aug 19)
- Re: Shared DMZ liability Bennett Todd (Aug 19)
- Re: Shared DMZ liability David Collier-Brown (Aug 19)
- Re: Shared DMZ liability Frank Willoughby (Aug 19)
- Re: Shared DMZ liability Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: Shared DMZ liability James Wilson (Aug 23)
- Re: Shared DMZ liability Frank Willoughby (Aug 23)
- Re[2]: Shared DMZ liability Steve . Bleazard (Aug 25)
- Re: Re[2]: Shared DMZ liability Chad Schieken (Aug 25)
- Re[4]: Shared DMZ liability Steve . Bleazard (Aug 26)