Firewall Wizards mailing list archives
Re: Shared DMZ liability
From: Frank Willoughby <frankw () in net>
Date: Thu, 20 Aug 1998 17:02:14 -0500
My mailer claims that at 05:03 AM 8/20/98 -1000, James Wilson allegedly wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do you have enough real addresses to set them up on separate subnets and enable split horizon? Would that be enough to separate them from each other?
Not for me. I would use NAT (to hide the addresses) in addition to other security measures (which will be described shortly). It is important to note that just separating each entity by solving the address issues won't solve the security problems. IMO, the core problems to be solved are: o preventing unauthorized connections from one entity from getting to the other AND o in protecting each entity from the other entities. As a suggestion, I would recommend that you put in a decent firewall (of which so few are really adequate enough to protect against the really serious attackers) which: o can isolate each entity's network from the other's networks o can hide the addresses using NAT (since you probably don't want each entity to know who the other entities are) o can rewrite the mail headers (for the same reasons) o is an application gateway (and as such, it should use proxies which are application-aware) I do not consider relying *only* on packet-filtering, stateful inspection, "cut-through proxies" (or other "proxies" which aren't app-aware) for this type of protection. NOTE: Not all "proxies" are created equally. Some vendors have taken great liberties with their creative use of the words "proxy", "firewall", and "VPN". IMHO, if the "proxy" has no application-level awareness - I wouldn't consider the firewall adequate enough for the job. As always, YMMV. I would hope that all appropriate legal documents (Non-Disclosure Agreements, and Liability Release Statements) have all been signed before this project was implemented. Also, each entity should be informed and made fully aware of the fact that the security you provide should be *IN-ADDITION-TO* each entity's own existing security measures (firewalls, et al) - and not a substitute for their security. Further, they should be informed/reminded that they need to take appropriate precautions which would prevent anyone at your organization/networks from accessing *their* systems and networks and that your organization will assume no responsibility or liability (via the Liability Release Statement) for their lack of attention to performing "due diligence" in securing their own electronic connections. FWIW, in providing connections which are shared by multiple entities, I believe that one also has a moral (and legal) obligation to protect each entity from the others passing through your network (DMZ or otherwise). The above solution fulfills these considerations. (As always, for legal advice, seek the advice of your corporate attorneys - not the Internet). 8^) 8< [snip] Best Regards, Frank The opinions of the author of this mail may not necessarily be representative of the opinions of Fortifed Networks, Inc. (c) Fortified Networks, Inc. - http://www.fortified.com/ Home of the Free Internet Firewall Evaluation Checklist Expert (vendor-neutral) Computer and Network Security Solutions Fixed Price Contracts - Expert Information Security Officers Phone: (317) 573-0800 Fax: (317) 573-0817
Current thread:
- Shared DMZ liability Allen Todd (Aug 19)
- Re: Shared DMZ liability Bennett Todd (Aug 19)
- Re: Shared DMZ liability David Collier-Brown (Aug 19)
- Re: Shared DMZ liability Frank Willoughby (Aug 19)
- Re: Shared DMZ liability Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: Shared DMZ liability James Wilson (Aug 23)
- Re: Shared DMZ liability Frank Willoughby (Aug 23)
- Re[2]: Shared DMZ liability Steve . Bleazard (Aug 25)
- Re: Re[2]: Shared DMZ liability Chad Schieken (Aug 25)
- Re[4]: Shared DMZ liability Steve . Bleazard (Aug 26)