Firewall Wizards mailing list archives
RE: segmentation of DMZs
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 18 Nov 2002 23:59:08 +0200
Answering the philosophical questions...
I would say you would need to separate in to functional logical groups
the
data that is being hosted. For example, a compromise of one system
should
not compromise the other system that are functionality or
organizationally
(business sense) separate. However, it will be extremely difficult in securing different classified data on the same application if they are utilizing the same business operation model for interfacing with the customer.
The questions and the example given were only given as an example. They do not represent an entire classification process.
And hence the philosophical questions. One should not place such
highly
confidential data on a system that is Internet and customer facing?
(This
does not mean one using the Internet as such). If the ramification of
data
and operational unauthorized access is very high, thorough separation
is
required, not just risk mitigation.
You need to understand what the type of information served is. It is regarded secret by both the customer (its own banking information) and the bank (regulation). It is not a Nation's top secret information that is served off an Internet web server... We both know that certain type of information will never be posted/stored on Internet servers. The design should take into account the application way of operation and a plethora of other issues regarding the way of operation, business flows, and other issues...
Thus, do we segment at the physical layer or logical layer? What are
the
essential relationships between the applications?
We segment on both layers - physical and logical. Sometimes we make the tradeoffs. I thought it was an obvious point.
People's view may change as ecommerce security increases in engineering capacity rather than add on solutions like firewalls and IDS. Is an Internet facing venture really as risky as it was ten years ago?
Firewalls and IDSs do not provide protection against security breaches. They are only two pieces in a puzzle; a puzzle which is sometimes 8 pieces and sometimes 10,000. Yours, Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: segmentation of DMZs Scott, Richard (Nov 18)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)