Re: Shared DMZ liability

[Frank Willoughby <frankw () in net>]

My mailer claims that at 05:03 AM 8/20/98 -1000, James Wilson allegedly wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Do you have enough real addresses to set them up on separate subnets
> and enable split horizon?    Would that be enough to separate them
> from each other?

Not for me.  I would use NAT (to hide the addresses) in addition 
to other security measures (which will be described shortly).  
It is important to note that just separating each entity by solving 
the address issues won't solve the security problems.

IMO, the core problems to be solved are:

o  preventing unauthorized connections from one entity from 
    getting to the other 
        AND 
o  in protecting each entity from the other entities.  

As a suggestion, I would recommend that you put in a decent 
firewall (of which so few are really adequate enough to 
protect against the really serious attackers) which:

o  can isolate each entity's network from the other's networks
o  can hide the addresses using NAT (since you probably don't 
    want each entity to know who the other entities are)
o  can rewrite the mail headers (for the same reasons)
o  is an application gateway (and as such, it should use proxies
    which are application-aware)

I do not consider relying *only* on packet-filtering, stateful 
inspection, "cut-through proxies" (or other "proxies" which 
aren't app-aware) for this type of protection.

NOTE: Not all "proxies" are created equally.  Some vendors have
       taken great liberties with their creative use of the words
       "proxy", "firewall", and "VPN".  IMHO, if the "proxy" has 
       no application-level awareness - I wouldn't consider the 
       firewall adequate enough for the job.  As always, YMMV.

I would hope that all appropriate legal documents (Non-Disclosure 
Agreements, and Liability Release Statements) have all been signed 
before this project was implemented.  

Also, each entity should be informed and made fully aware of 
the fact that the security you provide should be *IN-ADDITION-TO* 
each entity's own existing security measures (firewalls, et al) - 
and not a substitute for their security.  

Further, they should be informed/reminded that they need to 
take appropriate precautions which would prevent anyone at 
your organization/networks from accessing *their* systems 
and networks and that your organization will assume no 
responsibility or liability (via the Liability Release 
Statement) for their lack of attention to performing 
"due diligence" in securing their own electronic connections.

FWIW, in providing connections which are shared by multiple 
entities, I believe that one also has a moral (and legal) 
obligation to protect each entity from the others passing 
through your network (DMZ or otherwise).  The above solution 
fulfills these considerations.  (As always, for legal advice, 
seek the advice of your corporate attorneys - not the Internet).  8^)

8< [snip]

Best Regards,


Frank
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Fixed Price Contracts - Expert Information Security Officers
Phone: (317) 573-0800     Fax: (317) 573-0817