Firewall Wizards mailing list archives
Re: segmentation of DMZs
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 14 Nov 2002 08:23:39 -0500 (EST)
On Thu, 14 Nov 2002, Shimon Silberschlag wrote:
either "protected ports" if layer 2 or ACLs if layer 3. Now, some folks here offer to further segment the infrastructure by having separate physical segments for presentation servers (WWW) that provide authenticated services (and hence have as audience a small subset of the internet crowd but do provide much more sensitive information) and those that are not authenticated (thus can serve the entire internet population). They also would like to break the database segment to 2 sub-segments for "sensitive" databases and those that are "not so sensitive". I would like to enquire if anyone in the group either implemented such a design or supports it, and what are the reasons for doing so. If you think this is an overkill, pls do specify why.
I've always tried to segment traffic for the world at large from traffic destined for smaller populations. Wherever I can, I've included physical seperation in that plan. I've done it for Web servers, most of the rationale being (a) physical seperation wins, (b) If the infrastructure is similar, I'd prefer that the more private machines not be found too easily (SBO, but helps when someone's googling for victims,) (c) I could have a seperate administrative staff for sensative things if it became necessary, (d) my disaster plan for equipment failure could include limping along with everything on the same switch if completely necessary, and (e) I could enforce much more stringent security policies on private or semi-private systems if necessary. I like to also use different address ranges- if you're using post-CIDR addresses, snarf address space from both providers, make them acceept traffic for each other's ranges, and put the public stuff up on one set, and the private stuff up on the other. If you use seperate AS' and do some cross polination with multiple addresses for critical stuff for emergency use, you can pretty much withstand any single-provider issue (assuming you have a robust multiple-provider infrastructure.) There's some "fun with DNS" stuff you can play with in there, but I'll spare everyone DNS gymnastics stories, since this is way outside the original question. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Barney Wolff (Nov 13)
- segmentation of DMZs Shimon Silberschlag (Nov 14)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)