Firewall Wizards mailing list archives

Re: segmentation of DMZs

From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 14 Nov 2002 08:23:39 -0500 (EST)

On Thu, 14 Nov 2002, Shimon Silberschlag wrote:

either "protected ports" if layer 2 or ACLs if layer 3. Now, some
folks here offer to further segment the infrastructure by having
separate physical segments for presentation servers (WWW) that provide
authenticated services (and hence have as audience a small subset of
the internet crowd but do provide much more sensitive information) and
those that are not authenticated (thus can serve the entire internet
population). They also would like to break the database segment to 2
sub-segments for "sensitive" databases and those that are "not so
sensitive".

I would like to enquire if anyone in the group either implemented such
a design or supports it, and what are the reasons for doing so. If you
think this is an overkill, pls do specify why.


I've always tried to segment traffic for the world at large from traffic 
destined for smaller populations.  Wherever I can, I've included physical 
seperation in that plan.

I've done it for Web servers, most of the rationale being (a) physical 
seperation wins, (b) If the infrastructure is similar, I'd prefer that the 
more private machines not be found too easily (SBO, but helps when 
someone's googling for victims,) (c) I could have a seperate 
administrative staff for sensative things if it became necessary, (d) my 
disaster plan for equipment failure could include limping along with 
everything on the same switch if completely necessary, and (e) I could 
enforce much more stringent security policies on private or semi-private 
systems if necessary.  

I like to also use different address ranges- if you're using post-CIDR 
addresses, snarf address space from both providers, make them acceept 
traffic for each other's ranges, and put the public stuff up on one set, 
and the private stuff up on the other.  If you use seperate AS' and do 
some cross polination with multiple addresses for critical stuff for 
emergency use, you can pretty much withstand any single-provider issue 
(assuming you have a robust multiple-provider infrastructure.)  There's 
some "fun with DNS" stuff you can play with in there, but I'll spare 
everyone DNS gymnastics stories, since this is way outside the original 
question.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
  - Re: Mainframes on the Net? Barney Wolff (Nov 13)
  - segmentation of DMZs Shimon Silberschlag (Nov 14)
    - Re: segmentation of DMZs Paul D. Robertson (Nov 14)
    - Re: segmentation of DMZs Carson Gaspar (Nov 14)
    - Re: segmentation of DMZs Mikael Olsson (Nov 16)
    - Re: segmentation of DMZs Carson Gaspar (Nov 17)
    - Re: segmentation of DMZs Miles Sabin (Nov 15)
    - RE: segmentation of DMZs Ofir Arkin (Nov 18)
  - Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- Re: Mainframes on the Net? R. DuFresne (Nov 13)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)

(Thread continues...)