Hi Margaret,
>> Michel Py wrote:
>> It appears though that postings by different
>> people seem to converge about the idea that the boundaries
>> of the site (as in site-local) match the administrative
>> boundaries of the organization. There is an issue with
>> semantics but not with the concept itself.
> Margaret Wasserman wrote:
> Don't some sites have a DMZ where they put outward-facing
> servers that is actually outside their main security
> boundary?
I don't think so, see below.
> I don't think, though, that security boundaries and
> administrative boundaries always coincide.
Most of the time there is no such thing as a single "security boundary"
but multiple ones (I have seen six successive DMZs designs). Security is
_layered_, and I can't remember any network where one of the security
layers would not match the administrative boundary. Most of the time,
this would be the outer layer.
> So, would you put that DMZ outside the site, routing
> area and "two-faced" DNS boundaries, as well?
Not typically. The routing area and the security area will likely
include the DMZ as well as the site does. It is well understood that DMZ
hosts are sitting ducks, but it does not mean they should not be
protected by a firewall in order to prevent some attacks such as SYN/ACK
and ping of death. Therefore, they are within the security perimeter, on
the outside of it obviously.
Back to the diagram below, there is a security boundary that matches the
site boundary, another one in the outside firewall, another one in the
inside firewall, and finally one in router B.
-------------------- Global Addresses ------------------><- SL addr ->
+-----+
| ISP | |
+--+--+ | : : :
! | : : :
+--+---------+ +----------+ +----------+ +----------+
| Router A | +--+ Firewall +--+--+ Firewall +--+--+ Router B +---+
+------------+ +----------+ | +----------+ | +----------+ |
| : | : | : |
| : +---+--+ : +--+---+ : +----+----+
| : | DMZ | : | Host | : | Control |
| : | Host | : +------+ : | Device |
| : +------+ : : +---------+
---Site -->|<-------------------------- Site ------------------------->
| : : :
|
A good security policy splits the administration of the different layers
because then one single person sleeping with the enemy can not
compromise the entire network. In the diagram above, if the
administrator responsible for router B wants to configure a tunnel in
router B in order to leak the site-locals, the tunneling protocol would
be blocked in the firewalls. Also, if the firewall administrator opens a
hole in the firewalls to get to the control devices, he can't because he
needs to reconfigure router B also.
Hope this helps,
Michel.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
