Firewall Wizards mailing list archives
Re: ASP/Hosting Architecture
From: Chris Pugrud <chris () pugrud net>
Date: Thu, 18 Nov 2004 04:43:50 -0800 (PST)
Don, I lived in this world for a few years and it was a very blood and guts initiation to compartmentalized network security. The company was shutdown by VC greed, but it was running strong up to that point. I have the hindsight of a couple of years to know how I could have done it better, but at the time my primary focus was unraveling the mess and getting into a solid state that was auditable and was SAS-70 certified (which undermined my appreciation for SAS-70). The ASP hosted financial and CRM systems for a specialized sphere of startup hardware manufacturers. Because the ASP focused on a very specific business segment they were able to quickly implement full ERP systems (the record was 42 days for a full ERP implementation for a running, shipping, customer). It also meant that all of the ASP's customers were direct competitors of each other (including a few that have already been mentioned in this thread). Obviously the systems had to be secure against the outside world, but it had to maintain and insure the security of internal compartments against each other. Each of the customers was broken out on their own hardware, including private network switches, hub and spoke from a hardened core. Access to and from the backup system was tightly controlled. A limited amount of administrative systems were given access to the customer systems. Customer access was via ASP owned equipment, including private T1 lines that were IPSEC (3DES) encrypted. The VPN hardware controlled access between the customers and the core, the core controlled access between the servers and the customer. Overlapping customer (RFC1918) issues were dealt with by FM in the VPN hardware. The common points of vulnerability were the backup compartment and the admin compartment. The customer compartments had no visibility or access outside of their compartment, they could only respond to requests from the admin, backup, and customer client systems. No working design can be perfect, but we did the best with the technology and understanding available that we could. The design was audited, certified, and even received praise from a group of grey-hat "security researchers" that successfully IPO'd. I'd be happy to share some more lessons learned, but it's probably more appropriate off-list. Chris --- Don Kendrick <strider () mailworks org> wrote:
Dear Wizards, Need some direction/advise from anyone that has worked in the development of a network/firewall architecture for an ASP or hosting company. I'm currently working on developing a plan for an organization that will host multiple organization's IT infrastructures. Some of the organizations have a high risk tolerance and some have (or should have) a very low tolerance. When you look at developing a network/security architecture for an organization, you are usually looking at one organization's assets and can then apply the standards for tiering (presentation, application, and data) and segmentation based on criticality and confidentiality. The problem is how do we do this in an environment that also has to be segmented based on owner. Things start to not scale well quickly. Lots of firewalls, segmented SAN/NAS devices, segmented enterprise backup systems. If you don't address some of this you run the risk of the weakest link being exploited to escalate into other more secure co-located systems that might share infrastructure. I'm sure that there are some organizations with this type of problem that do it the wrong way, basically going flat with the tiering and/or data segmentation and only segmenting (maybe even only with VLANs) on the data owner (hosting client). Is anyone doing it right? How do you make it scale? Any models, ideas? don _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ASP/Hosting Architecture Don Kendrick (Nov 04)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 04)
- Re: ASP/Hosting Architecture Kerry Thompson (Nov 12)
- Re: ASP/Hosting Architecture Chris Pugrud (Nov 18)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 18)
- Re: ASP/Hosting Architecture Chris Pugrud (Nov 18)
- Re: ASP/Hosting Architecture Jian Zhen (Nov 23)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 18)
- Re: ASP/Hosting Architecture Paul D. Robertson (Nov 04)