Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flat vs Segmented DMZ's

From: Carson Gaspar <carson () taltos org>
Date: Wed, 06 Nov 2002 18:18:28 -0500
--On Wednesday, November 06, 2002 8:28 AM -0800 WhtWlf2001 <whtwlf2001 () yahoo com> wrote: 


I'm hoping to get some feedback (Pros/Cons) from the list members on a
Flat vs. Segmented DMZ structure. We currently have about 20 hosts
segmented off to 4-5 different DMZ interfaces on a CP firewall. With the
exception of having a seperate MGMT DMZ, I'm curious about the
benefits/detriments to having this segmented infrastructure. Today we
offer only limited web services (http,ftp,owa) via the web.
A fairly standard web app has multiple layers: the front-end web server, some middleware, perhaps some AAA software, and a database.
So you run a web server. That means it is very likely to get hacked (IIS, Apache, Sun ONE - they have all had nasty security bugs). So now your web server has an intruder - what can they do? They can almost certainly do anything your web app can do. This means the hacker can communicate with the other web app systems, via the same channels (and with the same authentication) as your web app. Packet-filtering compartmentalization (by itself) does not solve this problem. Something like a database proxy that enforces read-only access might, however. Also, assuming that _all_ of your components are compartmentalized, the hacker may flood one to three compartments, but still may not be able to get into your main network. Of course, if your database servers are on your main backbone...
On the other hand, say your database software is secure, but the system it's running on has a buggy telnet daemon enabled? In a compatmentalized system, the hacker can't jump from the web server to the database server. In a flat design, they can.
So the multiple DMZ architecture reduces your risks. All else being equal, I _highly_ recommend it. It does _not_, however, remove the need for a thorough application security analysis. 

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: