Re: Properly separating trust domains

[Adam Shostack <adam () homeport org>]

On Thu, Mar 16, 2000 at 09:45:20PM -0800, Bill Stout wrote:
| What is the best practice to separate networks based on trust level?
| 
| Say for example you have a large pool of webservers on the DMZ.  You
| then want to connect those to a pool of application servers on a
| back-end network.  Can you then: I'net---FW---www----apps, or do you
| have to I'net----FW---www---FW---apps? 

It depends how much you trust the web servers, and how tightly
administered they will be.

If the web servers will be regularly audited, upgraded, and checked
for goodness, you may not have compelling reason to firewall behind
them.

On the other hand, if you expect that security management may take a
back seat to availability, performance, and other things, putting 
a basic packet filter behind them that only allows them to talk to the 
expected partners won't hurt.  It also offers a nice, easy, cheap
fail-safe and/or intrusion detection mechanism.  ("Gosh, why is the
web server ping-mapping our internal network?")

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume