Firewall Wizards mailing list archives
Re: Properly separating trust domains
From: Adam Shostack <adam () homeport org>
Date: Tue, 21 Mar 2000 11:29:45 -0500
On Thu, Mar 16, 2000 at 09:45:20PM -0800, Bill Stout wrote: | What is the best practice to separate networks based on trust level? | | Say for example you have a large pool of webservers on the DMZ. You | then want to connect those to a pool of application servers on a | back-end network. Can you then: I'net---FW---www----apps, or do you | have to I'net----FW---www---FW---apps? It depends how much you trust the web servers, and how tightly administered they will be. If the web servers will be regularly audited, upgraded, and checked for goodness, you may not have compelling reason to firewall behind them. On the other hand, if you expect that security management may take a back seat to availability, performance, and other things, putting a basic packet filter behind them that only allows them to talk to the expected partners won't hurt. It also offers a nice, easy, cheap fail-safe and/or intrusion detection mechanism. ("Gosh, why is the web server ping-mapping our internal network?") Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Q: Properly separating trust domains Bill Stout (Mar 17)
- Re: Properly separating trust domains Adam Shostack (Mar 21)
- Re: Q: Properly separating trust domains woody weaver (Mar 21)
- <Possible follow-ups>
- RE: Q: Properly separating trust domains Carl Friedberg (Mar 21)
- RE: Q: Properly separating trust domains Linder, Daniel G. (Mar 21)