RE: segmentation of DMZs

["Ofir Arkin" <ofir () sys-security com>]

Shimon,

The answer to your question varies from one security architect to
another. 

When you design a new system you need to ask yourself several questions.
The answers to these questions will help you classify the type system
and information served. Some of the questions might be:  

- What are the different parts of the application?
- How they interact?
- What is the type of information that the system will serve? 
- How do you classify the information? 
- Is it confidential, secret, or open to all? 
- Is authentication will be required from users? 
- Do you have different types of users for the application with
different access levels? 
- Etc.

If your application is a Banking application, for example, there is no
need to host all types of users on the same system since the content
served is with different confidentiality levels ranging from free to
classified. If you put all your eggs in one system anybody from the
Internet will be able to try to compromise your front-end web server. If
you require authentication and provide access only to registered users,
in most cases you will be able to reduce the number of possible attacks
on the front-end server. If the free content will be served off a
different web server which will be physically separated from the web
server serving confidential content, any compromise to that server will
not be a potential risk to the web server serving the confidential
content. 

There is no "one fit to all" module with computer security, and there
are no magical solutions - just remember that one application will
always be different from another.


Enjoy,
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Shimon
Silberschlag
Sent: Thursday, November 14, 2002 12:35 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] segmentation of DMZs

As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like
to ask the group if they support/oppose segmenting even segments
conducting the same work to sub-segments.

Lets say we have an hypothetical internet infrastructure composed of 3
different segments: presentation, business logic and databases. The
inter-segment traffic is controlled using switch level protection -
either "protected ports" if layer 2 or ACLs if layer 3. Now, some
folks here offer to further segment the infrastructure by having
separate physical segments for presentation servers (WWW) that provide
authenticated services (and hence have as audience a small subset of
the internet crowd but do provide much more sensitive information) and
those that are not authenticated (thus can serve the entire internet
population). They also would like to break the database segment to 2
sub-segments for "sensitive" databases and those that are "not so
sensitive".

I would like to enquire if anyone in the group either implemented such
a design or supports it, and what are the reasons for doing so. If you
think this is an overkill, pls do specify why.

Shimon Silberschlag

+972-3-9352785
+972-51-207130

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards