Internal trusted networks? (was Re: avahi-daemon)

To: debian-security@lists.debian.org
Subject: Internal trusted networks? (was Re: avahi-daemon)
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sat, 4 Mar 2006 00:40:04 +0100
Message-id: <[🔎] 20060303234004.GA29450@javifsp.no-ip.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20060303174734.GA22267@bee.dooz.org>
References: <43FC4A6C.9010801@gmx.net> <20060222142342.GD17249@bee.dooz.org> <20060222145124.GC9733@mathom.us> <20060222155726.GF17249@bee.dooz.org> <20060222180008.GD9733@mathom.us> <[🔎] 20060303134528.GP6022@bee.dooz.org> <[🔎] 20060303145556.GD11560@khazad-dum.debian.net> <[🔎] 20060303174734.GA22267@bee.dooz.org>

On Fri, Mar 03, 2006 at 06:47:34PM +0100, Loïc Minier wrote:
>         Hi,
> 
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > Inside the network?  Most managed networks have filtering at the borders, at
> > key router nodes, and if it has a more advanced distributed-firewall
> > mentality, on the all of the important boxes themselves (but that usually
> > doesn't reach the workstations).
> 
>  I thought security people would recommend havin a per-port ACL for
>  allowed traffic, and port visibility set to limit the view to only the
>  router when not otherwise required.

I don't think you have seen many corporate (i.e. hundreds of nodes) networks.
I've "seen" a few, and, from my "limited" experience:

a) people in charge of switches do not belong to the IT security department
   (there's a whole communications department for level 2 and even inter
   network routing)

b) it is not possible to set per-port ACLs for traffic since services are not 
   completely defined ("are you sure that the people in management don't have
   to access the file servers at engineering?") and there's just too many
   end nodes (with new ones being introduced and old ones removed from the
   network continously)

c) there are multiple routing entities in the network (not just the border
   router) due to having multiple interconnected LANs (some really nasty and
   *big* networks are a single LAN, but that's difficult to handle). So the
   needed visibility for a host is more than just a single router.

d) ACLs in core routers (think Cisco Catalyst) only buy you so much
   security-wise (it might prevent IP spoofing but they are not, after all, 
   stateful filters) and has performance considerations (specially if you
   are running Gigabit)

So even if the "security people" as you so put it, would recommend per-port
ACL allowed traffic they would (and do) get shunned by other IT departments.
At most, IT security can get a bridge firewall [1] setup between sensible
networks to isolate and try to control traffic between them. 

>  I completely agree that it's quite common to have the network filtered
>  at its borders, and that's usually considered some internal trusted
>  network.

With people bringing laptops (and all kind of devices) from the outside of
the network, unprotected/uncontrolled WiFi access points, etc. there is no
such thing as an "internal trusted network".

Regards

Javier

[1] Some call it IPS, but then again, that's were the hype now is... or
was... you never now.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Internal trusted networks? (was Re: avahi-daemon)
  - From: Loïc Minier <lool+debian@via.ecp.fr>

References:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

Prev by Date: Re: Bonk vulnerability!
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: Internal trusted networks? (was Re: avahi-daemon)
Index(es):
- Date
- Thread