Educause Security Discussion mailing list archives
Re: Philosophy of DMZ
From: Ron Parker <rparker () BRAZOSPORT EDU>
Date: Tue, 19 Apr 2005 17:48:31 -0500
Yep, isn't this the idea of a "DMZ"? It is the place where we put things that need access from both directions. I'll admit that things can get a little fuzzy from time to time but in the classical sense, as I understand it, the DMZ ties the internal and external network services together. Some people may actually put servers "outside" the firewall in danger land but I think most of us these days probably work with a DMZ where our external facing servers live. In our case, our DMZ is just one arm of our firewall so it is "inside" the firewall. To use the DMZ to mount an attack, an attacker would traverse the firewall to the DMZ and then have to go from the DMZ server back through the firewall to get to the internal servers. It's not perfect but it's what we can afford. So, I don't know that you really give up anything by having a server in your DMZ, as I've described it. You can still build firewall policies around it to protect it and your internal services. Perhaps I've misunderstood your situation. -- Ron Parker, Director of Information Technology, Brazosport College Voice: (979) 230-3480 FAX: (979) 230-3111 http://www.brazosport.edu On Tue, 19 Apr 2005, Michael J. Benedetto wrote:
Jake: Why not move the "internal" server to a DMZ and write the firewall rules so that both internal and external users can reach that system? -Mike -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Tuesday, April 19, 2005 5:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Philosophy of DMZ I've run into a situation where a solution we are implementing requires a web server to be on our inside network but needs to be accessed externally. This is happening much more frequently than I would like. We're doing some long-term planning and my office would like some feedback from other institutions. If I'm going to have to keep adding servers that can be accessed directly, is there still reason to have a DMZ? My understanding of having a DMZ, is to not allow public external access to internal servers and all requests to internal servers should be answered by a proxy/reverse proxy server. Am I just an idealist? Can anyone share experiences with proxying? Anyone ever scrap their DMZ? Any policies that you can share on external access to internal web servers? Jake Barros Grace College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Philosophy of DMZ Barros, Jacob (Apr 19)
- <Possible follow-ups>
- Re: Philosophy of DMZ Steven Osit (Apr 19)
- Re: Philosophy of DMZ Michael J. Benedetto (Apr 19)
- Re: Philosophy of DMZ Scholz, Greg (Apr 19)
- Re: Philosophy of DMZ Barros, Jacob (Apr 19)
- Re: Philosophy of DMZ Ron Parker (Apr 19)
- Re: Philosophy of DMZ Mills, Michael (Apr 20)
- Re: Philosophy of DMZ Davis, Thomas R. (Apr 20)
- Re: Philosophy of DMZ Daniel Adinolfi (Apr 20)
- Re: Philosophy of DMZ Scholz, Greg (Apr 20)
- Re: Philosophy of DMZ Kowal, Michael (Apr 20)
- Re: Philosophy of DMZ Herrera Reyna Omar (Apr 20)
- Re: Philosophy of DMZ Cal Frye (Apr 20)