Firewall Wizards mailing list archives
Re: Defense in Depth to the Desktop
From: Chris Pugrud <cpugrud () yahoo com>
Date: Mon, 6 Dec 2004 08:16:53 -0800 (PST)
--- Rogan Dawes <discard () dawes za net> wrote:
I've been trying to come up with some way of firewalling individual clients (i.e. at a switch level), by defining a policy of who is allowed to connect to what, at a very granular level. Your analysis kind of short-cuts that whole approach, by taking a much less granular approach to things. I think it could be very effective. I particularly like the way of segregating servers based on their need to initiate connections to clients or not. Good stuff! I look forward to seeing more discussion on this list.
The key short cut, in my mind, was realizing that private vlans could be used to extend strong access controls to an entire subnet without having to define inidividual rules, subnets, or vlans. Private vlans also cut out all of the client to client chatter and vulnerabilities. Segmentation of the servers isolates the risk exposure. The reality is that very, very few servers actually need to initiate connections to the clients. Even SMS and most mangement systems are client-poll driven. The best example I've seen of Master->client servers are vulnerability scanners (most organizations do not do backups of client systems). Because all of the client systems are exposed to the Master Client servers, the security of those systems is obviously vital. Thank you, Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Defense in Depth to the Desktop Chris Pugrud (Dec 05)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 11)
- protection models Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
- Re: Defense in Depth to the Desktop Rogan Dawes (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)