Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Philosophy of DMZ

From: Ron Parker <rparker () BRAZOSPORT EDU>
Date: Tue, 19 Apr 2005 17:48:31 -0500
Yep, isn't this the idea of a "DMZ"? It is the place where we put things
that need access from both directions. I'll admit that things can get a
little fuzzy from time to time but in the classical sense, as I understand
it, the DMZ ties the internal and external network services together. Some
people may actually put servers "outside" the firewall in danger land but
I think most of us these days probably work with a DMZ where our external
facing servers live. In our case, our DMZ is just one arm of our firewall
so it is "inside" the firewall. To use the DMZ to mount an attack, an
attacker would traverse the firewall to the DMZ and then have to go from
the DMZ server back through the firewall to get to the internal servers.
It's not perfect but it's what we can afford.

So, I don't know that you really give up anything by having a server in
your DMZ, as I've described it. You can still build firewall policies
around it to protect it and your internal services. Perhaps I've
misunderstood your situation.

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480             FAX: (979) 230-3111
http://www.brazosport.edu


On Tue, 19 Apr 2005, Michael J. Benedetto wrote:


Jake:

Why not move the "internal" server to a DMZ and write the firewall rules so
that both internal and external users can reach that system?

-Mike

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Tuesday, April 19, 2005 5:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Philosophy of DMZ

I've run into a situation where a solution we are implementing requires
a web server to be on our inside network but needs to be accessed
externally.  This is happening much more frequently than I would like.
We're doing some long-term planning and my office would like some
feedback from other institutions.

If I'm going to have to keep adding servers that can be accessed
directly, is there still reason to have a DMZ? My understanding of
having a DMZ, is to not allow public external access to internal servers
and all requests to internal servers should be answered by a
proxy/reverse proxy server.  Am I just an idealist?

Can anyone share experiences with proxying?  Anyone ever scrap their
DMZ?  Any policies that you can share on external access to internal web
servers?

Jake Barros
Grace College

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: