Educause Security Discussion mailing list archives
Re: Philosophy of DMZ
From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Tue, 19 Apr 2005 17:49:22 -0400
We are in the reverse situation. Servers have been deployed wherever "needed". This was mostly because there was not a procedure and technology plan in place to guide the installation of these servers into a DMZ. My question is why does this web server HAVE TO be inside? We currently have only our mail gateways in a DMZ but we are planning on moving all servers that need external and internal access to a DMZ. Servers that require only internal access will be in a single vlan predominantly located in a single area so that I can provide a single high end switch with fast throughput straight into the core of our network. By providing this high end switch and connectivity it should be incentive for system owners to want to get onto that server switch. Those that do not will still be moved onto the server vlan by extending that vlan wherever they want their server. As for DMZ, we are also going to provide a single high end switch with fast connectivity to the firewall for incentive for system owners to want to move. All IT Group owned systems will be moved, it is more of a faculty/departmental issue where some may not want to physically move their servers. For any group that does not want to physically move their server to be located near the DMZ switch we are extending a non-routed DMZ vlan wherever they need it, but the servers will move to some DMZ type area. We will then connect a port for the non-routed internal DMZ vlan to the DMZ switch so that the only connectivity to/from the DMZ vlan is through the firewall. The short answer to your question is that you are not an idealist for wanting to protect the internal network. I expect that if you trend the number of infections, hacks, and other network issues religiously there will be a measurable increase within a few years that correlates directly with the number of publicly accessible internal servers. If you have a good DMZ now, fight to keep and improve it not scrap it. _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 -----Original Message----- From: Barros, Jacob [mailto:jkbarros () GRACE EDU] Sent: Tuesday, April 19, 2005 5:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Philosophy of DMZ I've run into a situation where a solution we are implementing requires a web server to be on our inside network but needs to be accessed externally. This is happening much more frequently than I would like. We're doing some long-term planning and my office would like some feedback from other institutions. If I'm going to have to keep adding servers that can be accessed directly, is there still reason to have a DMZ? My understanding of having a DMZ, is to not allow public external access to internal servers and all requests to internal servers should be answered by a proxy/reverse proxy server. Am I just an idealist? Can anyone share experiences with proxying? Anyone ever scrap their DMZ? Any policies that you can share on external access to internal web servers? Jake Barros Grace College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Philosophy of DMZ Barros, Jacob (Apr 19)
- <Possible follow-ups>
- Re: Philosophy of DMZ Steven Osit (Apr 19)
- Re: Philosophy of DMZ Michael J. Benedetto (Apr 19)
- Re: Philosophy of DMZ Scholz, Greg (Apr 19)
- Re: Philosophy of DMZ Barros, Jacob (Apr 19)
- Re: Philosophy of DMZ Ron Parker (Apr 19)
- Re: Philosophy of DMZ Mills, Michael (Apr 20)
- Re: Philosophy of DMZ Davis, Thomas R. (Apr 20)
- Re: Philosophy of DMZ Daniel Adinolfi (Apr 20)
- Re: Philosophy of DMZ Scholz, Greg (Apr 20)
- Re: Philosophy of DMZ Kowal, Michael (Apr 20)
- Re: Philosophy of DMZ Herrera Reyna Omar (Apr 20)
- Re: Philosophy of DMZ Cal Frye (Apr 20)