DMZ design
in [Firewalls]
|
From: Frankster on 30 Nov 2005 13:22 > It does work in the real world, though many people > seem to be reluctant to do it right, because the other > way is so much easier. It's not about "easy", it's about money. A realistic risk analysis verses costs. Some's worth it, some's not. -Frank
From: Ansgar -59cobalt- Wiechers on 30 Nov 2005 14:23 Leythos wrote: > In article <3v5rhjF13va87U2(a)individual.net>, usenet-2005(a)planetcobalt.net says... >> Leythos wrote: >>> Wrong - If the database server in DMZ2 is compromised by a 0-Day >>> exploit, and you've setup replication between the DMZ1 DB server, so >>> that you have real-time information available, then the same 0-Day >>> exploit will reach through and compromise that server too. >> >> No. Simply because replication and web application use different >> mechanisms to access the server. Besides, I didn't say anything about >> real-time replication. > > No, you didn't, but lets take an online ordering system, or a project > management system or anything else that doesn't use a Static DB, and > then you either punch a hole or setup replication, so you're back to > having a security issue that you have to deal with one way or another. As I said: even if I use (live-)replication, I'm not likely to be vulnerable to the same exploit. And even if I were: my exposure would be *at most* as high as it were in your scenario. cu 59cobalt -- "Another option [for defragmentation] is to back up your important files, erase the hard disk, then reinstall Mac OS X and your backed up files." --http://docs.info.apple.com/article.html?artnum=25668
From: Ansgar -59cobalt- Wiechers on 30 Nov 2005 14:34 Frankster wrote: >> It does work in the real world, though many people seem to be >> reluctant to do it right, because the other way is so much easier. > > It's not about "easy", it's about money. Anything not easy is going to cost money, so it's the same. > A realistic risk analysis verses costs. Some's worth it, some's not. Honestly, don't most of those "realistic" risk analyses amount to "it's more likely to hit others first, so we don't need to spend money on that now", until they actually get hit? cu 59cobalt -- "Another option [for defragmentation] is to back up your important files, erase the hard disk, then reinstall Mac OS X and your backed up files." --http://docs.info.apple.com/article.html?artnum=25668
From: Frankster on 30 Nov 2005 17:23 >> It's not about "easy", it's about money. > > Anything not easy is going to cost money, so it's the same. Disagree. Often the easiest thing is to throw money on it. >> A realistic risk analysis verses costs. Some's worth it, some's not. > > Honestly, don't most of those "realistic" risk analyses amount to "it's > more likely to hit others first, so we don't need to spend money on that > now", until they actually get hit? Nope. Not if they are done right. Another thing... it's kind of ridiculous to spend much time and money to protect a system without real data storage that you can rebuild and have back to original in an hour. Just depends. OTOH, it could be that an hour of downtime would cost your company thousands or millions. Just depends. -Frank
From: DigitalVinyl on 30 Nov 2005 22:46 "Frankster" <Frank(a)SPAM2TRASH.com> wrote: >> It does work in the real world, though many people >> seem to be reluctant to do it right, because the other >> way is so much easier. > >It's not about "easy", it's about money. A realistic risk analysis verses >costs. Some's worth it, some's not. > >-Frank Often, I find it isn't about money. It is about the politics. Most of us get to inherit stuff. As a consultant you inherit almost everything. If the existing system is foully organized and exposes the company to problems, capacity, security, performance, or capability problems, there is all too often a desire to ignore and hide the problem and pretend it isn't really there. This leads to a bastardization to work around things. Management doesn't want to admit they've fucked up in the past. This leads to that ever popular cycle of "we're the new managemnt-let's change everything". Oldmanagement would never admit to fuckups , new management wants to blame old management and pretend that they have some great plan to make things "better". Technical and real world requirements be damned.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 5 Prev: Wireless router Next: Blocking ports 1024-1030 excessive? |