Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Defense in Depth to the Desktop

From: Chris Pugrud <cpugrud () yahoo com>
Date: Mon, 6 Dec 2004 08:16:53 -0800 (PST)

--- Rogan Dawes <discard () dawes za net> wrote:


I've been trying to come up with some way of firewalling individual 
clients (i.e. at a switch level), by defining a policy of who is allowed 
to connect to what, at a very granular level. Your analysis kind of 
short-cuts that whole approach, by taking a much less granular approach 
to things. I think it could be very effective. I particularly like the 
way of segregating servers based on their need to initiate connections 
to clients or not.

Good stuff! I look forward to seeing more discussion on this list.


The key short cut, in my mind, was realizing that private vlans could be used
to extend strong access controls to an entire subnet without having to define
inidividual rules, subnets, or vlans.  Private vlans also cut out all of the
client to client chatter and vulnerabilities.

Segmentation of the servers isolates the risk exposure.  The reality is that
very, very few servers actually need to initiate connections to the clients. 
Even SMS and most mangement systems are client-poll driven.  The best example
I've seen of Master->client servers are vulnerability scanners (most
organizations do not do backups of client systems).  Because all of the client
systems are exposed to the Master Client servers, the security of those systems
is obviously vital.

Thank you,

Chris
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: