Firewall Wizards mailing list archives
Re: ASP/Hosting Architecture
From: "Kerry Thompson" <kez () crypt gen nz>
Date: Fri, 12 Nov 2004 15:21:14 +1300 (NZDT)
Paul D. Robertson said:
You have a few choices, either make a limited number of zones, and replicate the environment for that number (3 or 4 max) and place organizations into a particular zone based on their self-confessed tolerance, make the infrastructure as hardened as possible, make the organizational stuff not able to talk to each other, and carry the risk that's left, or build out each thing individually. Which is right depends heavily upon resources, security visibility and scale.
Yes, Other technical controls can help, VLANs and the firewall-on-a-stick architecture can help scalability, as can deploying larger firewalls with doman/virtualization capability ( Netscreen, Cisco FWSM ).
I'm sure that there are some organizations with this type of problem that do it the wrong way, basically going flat with the tiering and/or data segmentation and only segmenting (maybe even only with VLANs) on the data owner (hosting client).Yep, lots of places do it wrong.
The few that I've seen rely on host security, particularly in the presentation and application layers. Few implement security on back-end storage systems, they usually assume that the threat has been diluted at the lower layers.
Is anyone doing it right? How do you make it scale? Any models, ideas?It also depends on your idea of secure and what resources have to be shared. I happen to think multi-level secure systems work well for this sort of things, Marcus probably doesn't agree at all. We probably both agree that the administrative overhead is pretty ugly though ;)
True. I've done a fair bit of work on SELinux and while it can be used to provide very scalable host security the learning curve can be steep. Its capable of MLS, but that's rarely deployed in favour of plain MAC. The MAC model in SELinux offers good process separation, potentially down to the network level on a single server. This is a good alternative to deploying multiple DMZ segments for all of the different types of servers that you want to separate from each other. For instance, the SELinux policy is configured to permit web server processes to only read files and send them back to the client and nothing else. No web server process ( or sub-process ) can open a network connection, access any other files, or even invoke a shell unless you explicitly permit it. So this sort of approach can save you from deploying a separate server for Email, DNS, Web, FTP, .. each on a different DMZ to stop a hacked server from attacking the others. One of the biggest problems in the ISP/ASP environment is auditability. The customers always want proof ( or at least a high level of certainty ) that their host environment is secure. And as the number of distinct tiered networks climbs over the 100 mark this becomes very difficult to do. Kerry -- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz kez () crypt gen nz _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ASP/Hosting Architecture Don Kendrick (Nov 04)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 04)
- Re: ASP/Hosting Architecture Kerry Thompson (Nov 12)
- Re: ASP/Hosting Architecture Chris Pugrud (Nov 18)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 18)
- Re: ASP/Hosting Architecture Chris Pugrud (Nov 18)
- Re: ASP/Hosting Architecture Jian Zhen (Nov 23)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 18)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 04)