|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Shared DMZ liability
Rick Smith (rick_smith
securecomputing.com)
Fri, 21 Aug 1998 16:12:20 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Ted Doty: "Re: Denial of service"
- Previous message: David C Niemi: "RE: Denial of service"
- In reply to: Ted Doty: "RE: Denial of service"
- Next in thread: Steve.Bleazardwdr.com: "Re[2]: Shared DMZ liability"
At 01:22 PM 8/18/98 -0400, Allen Todd wrote:
>I'm interested in whether anyone has any specific
>knowledge about corporate liablility resulting from
>the use of a shared DMZ for external data providers.
First of all, keep in mind that there's no network security mechanism
that's going to keep a bunch of hosts like that from potentially attacking
one another. The separate DMZs do raise the bar, but it's not clear this
improves your legal liability situation.
If everyone is on the same DMZ, then risk of one outsider attacking another
is increased, since there's no independent security mechanism (i.e.
firewall) separating them, and a firewall would probably increase the
effort required for a successful attack. However, if someone performs a
direct and unsophisticated attack from their host machine to a competitor's
machine, and the attack is logged, then any logged IP addresses will point
to the real attacker. This makes them the favored target of a lawsuit. This
really happens: I've investigated that sort of thing.
If the attacker is more clever and mounts the attack from another machine
(yours, for example) or uses some other strategy to forge IP addresses,
then the owner of the forged address becomes a more likely target of a
lawsuit.
If you use separate DMZs you probably increase the work required by
outsiders to attack one another, and thus you probably decrease the
likelihood of attacks. On the other hand, successful attacks will *have* to
be mounted by penetrating one of your own machines, so logged attacks will
point to *you* as the perpetrator. This makes you the prime target of the
lawsuit if anything happens. So you decrease the likelihood of attacks (and
the likelihood may be small anyway, depending on the group of outsiders
involved) but you increase the likelihood that you'll be held responsible
if an attack *does* occur.
I expect this isn't the sort of answer you're looking for, but it's another
way of looking at the problem.
Rick.
smithsecurecomputing.com
- Next message: Ted Doty: "Re: Denial of service"
- Previous message: David C Niemi: "RE: Denial of service"
- In reply to: Ted Doty: "RE: Denial of service"
- Next in thread: Steve.Bleazardwdr.com: "Re[2]: Shared DMZ liability"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:40 CDT