Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: segmentation of DMZs

From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 18 Nov 2002 23:59:08 +0200
Answering the philosophical questions...



I would say you would need to separate in to functional logical groups

the

data that is being hosted.  For example, a compromise of one system

should

not compromise the other system that are functionality or

organizationally

(business sense) separate.  However, it will be extremely difficult in
securing different classified data on the same application if they are
utilizing the same business operation model for interfacing with the
customer.


The questions and the example given were only given as an example. They
do not represent an entire classification process.


And hence the philosophical questions.  One should not place such

highly

confidential data on a system that is Internet and customer facing?

(This

does not mean one using the Internet as such).  If the ramification of

data

and operational unauthorized access is very high, thorough separation

is

required, not just risk mitigation.


You need to understand what the type of information served is. It is
regarded secret by both the customer (its own banking information) and
the bank (regulation). It is not a Nation's top secret information that
is served off an Internet web server...

We both know that certain type of information will never be
posted/stored on Internet servers.

The design should take into account the application way of operation and
a plethora of other issues regarding the way of operation, business
flows, and other issues...


Thus, do we segment at the physical layer or logical layer?  What are

the

essential relationships between the applications?


We segment on both layers - physical and logical. Sometimes we make the
tradeoffs. I thought it was an obvious point.


People's view may change as ecommerce security increases in engineering
capacity rather than add on solutions like firewalls and IDS.  Is an
Internet facing venture really as risky as it was ten years ago?


Firewalls and IDSs do not provide protection against security breaches.
They are only two pieces in a puzzle; a puzzle which is sometimes 8
pieces and sometimes 10,000. 



Yours,
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: