Re: Philosophy of DMZ

["Scholz, Greg" <gscholz () KEENE EDU>]

We are in the reverse situation.  Servers have been deployed wherever
"needed".  This was mostly because there was not a procedure and
technology plan in place to guide the installation of these servers into
a DMZ.  My question is why does this web server HAVE TO be inside?

We currently have only our mail gateways in a DMZ but we are planning on
moving all servers that need external and internal access to a DMZ.
Servers that require only internal access will be in a single vlan
predominantly located in a single area so that I can provide a single
high end switch with fast throughput straight into the core of our
network. By providing this high end switch and connectivity it should be
incentive for system owners to want to get onto that server switch.
Those that do not will still be moved onto the server vlan by extending
that vlan wherever they want their server.

As for DMZ, we are also going to provide a single high end switch with
fast connectivity to the firewall for incentive for system owners to
want to move.  All IT Group owned systems will be moved, it is more of a
faculty/departmental issue where some may not want to physically move
their servers.  For any group that does not want to physically move
their server to be located near the DMZ switch we are extending a
non-routed DMZ vlan wherever they need it, but the servers will move to
some DMZ type area.  We will then connect a port for the non-routed
internal DMZ vlan to the DMZ switch so that the only connectivity
to/from the DMZ vlan is through the firewall.

The short answer to your question is that you are not an idealist for
wanting to protect the internal network.  I expect that if you trend the
number of infections, hacks, and other network issues religiously there
will be a measurable increase within a few years that correlates
directly with the number of publicly accessible internal servers.  If
you have a good DMZ now, fight to keep and improve it not scrap it.

_________________________
Thank you,
Gregory R. Scholz
Lead Network Engineer
Information Technology Group
Keene State College
(603)358-2070

-----Original Message-----
From: Barros, Jacob [mailto:jkbarros () GRACE EDU] 
Sent: Tuesday, April 19, 2005 5:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Philosophy of DMZ

I've run into a situation where a solution we are implementing requires
a web server to be on our inside network but needs to be accessed
externally.  This is happening much more frequently than I would like.
We're doing some long-term planning and my office would like some
feedback from other institutions.  

If I'm going to have to keep adding servers that can be accessed
directly, is there still reason to have a DMZ? My understanding of
having a DMZ, is to not allow public external access to internal servers
and all requests to internal servers should be answered by a
proxy/reverse proxy server.  Am I just an idealist?  

Can anyone share experiences with proxying?  Anyone ever scrap their
DMZ?  Any policies that you can share on external access to internal web
servers? 

Jake Barros
Grace College

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.