Well, I guess you could call it ZBS and it would be fine if it authenticated people at the boundary rather than the host/resource. Then you can put cross boundry (inter-departmental) people into groups on the firewall. Unfortunately, at the time I was working on this, there wasn't a product that would do that efficiently or transparently. User's get really pissed if they have to keep entering user IDs and passwords everytime they want to access a resource in another zone.
Last time I looked the problem still existed, Single Sign-on still seems to be more dream than reality. Anything in the "ICE" arena (pun intended) that's addressing this problem?
-- Bill Stackpole, CISSP
--
| [EMAIL PROTECTED]
11/29/00 01:55 AM
|
To: [EMAIL PROTECTED], David Van Damme <[EMAIL PROTECTED]> cc: "'Hubert Felber'" <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: RE: Firewall for LAN |
Isn't that what you call Zone Boundary Security (ZBS)..
At 12:43 PM 11/29/00 -0500, [EMAIL PROTECTED] wrote:
>I've had the displeasure of trying to "protect" departments from each
>other so I'll throw my two cent at this one.
>
>The real solution is to implement access controls to the data instead of
>trying to segment the individual LANs. It has been my experience that
>firewalling between departments that do business with each other soon
>becomes an administrative nightmare. Every Tom, Dick and Harriet manager,
>auditor, accountant, attorney, admin assistant, and-on-and-on, etc., etc.,
>etc. . . has some reason why they needed "special" access through the
>firewall. To give you an idea of how bad this got, at one point the there
>were over 1,800 the IP filtering rules on 21 different routers.
>
>For all practical purposes these rules were there so personnel in the
>departments didn't have to do anything to protect their resources. This
>got changed. First we educated the owners of the data on their
>responsibility to classify their data and determine who should have access
>to it. Then we set up groups to implement those controls. Then we gave
>the owners of the data the ability to add or remove people from those
>groups as they saw fit. Finally, we remove the majority of the filter
>rules from the routers.
>
>-- Bill Stackpole, CISSP
>
>
>
>
>David Van Damme <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>11/29/00 06:59 AM
>
> To: "'Hubert Felber'" <[EMAIL PROTECTED]>
> cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: RE: Firewall for LAN
>
>
>
>Why would a firewall between lans be a lot different then a `regular`
>firewall ?
>Any firewall where you can disable the NAT would do right ?
>
>David
>
>
>-----Original Message-----
>From: Hubert Felber [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, November 29, 2000 3:35 PM
>To: [EMAIL PROTECTED]
>Subject: Firewall for LAN
>
>
>Hi,
>
>I am looking for firewall solutions to work on the LAN. We want to protect
>the inhouse departments from each others. Once there was a product called
>Eagle LAN from Raptor. I don't know if this still exists, but this is
>exactely the kind of firewall solution I am looking for.
>
>Does anybody know, or can anybody recommand a product?
>
>Thank you
>Hubert
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
