Educause Security Discussion mailing list archives
Re: Philosophy of DMZ
From: Cal Frye <cjf () CALFRYE COM>
Date: Wed, 20 Apr 2005 10:53:37 -0400
A good reason I dislike the term "DMZ." It's come to mean sufficient different things to impair communications. We're beginning to draw our servers into a separate routed subnet from the users, but for now plan to rely mainly on ACLs to restrict access to them from the different user communities. Most of the servers do not need to be reconfigured for this to work, fortunately. We will be able to install a subnet firewall in the future, but most currently bear host-based firewalls in addition to the one at the border. It's not a DMZ in the traditional sense, but we are adding another onion layer... --Cal Frye, Network Administrator, Oberlin College www.ouuf.org, www.calfrye.com GnuPG ID 43061C16, Public key http://www.calfrye.com/cfrye.asc "This 'telephone' has too many shortcomings to be a serious means of communication." Western Union, 1876. Barros, Jacob wrote:
I've run into a situation where a solution we are implementing requires a web server to be on our inside network but needs to be accessed externally. This is happening much more frequently than I would like. We're doing some long-term planning and my office would like some feedback from other institutions. If I'm going to have to keep adding servers that can be accessed directly, is there still reason to have a DMZ? My understanding of having a DMZ, is to not allow public external access to internal servers and all requests to internal servers should be answered by a proxy/reverse proxy server. Am I just an idealist? Can anyone share experiences with proxying? Anyone ever scrap their DMZ? Any policies that you can share on external access to internal web servers? Jake Barros Grace College ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Philosophy of DMZ, (continued)
- Re: Philosophy of DMZ Michael J. Benedetto (Apr 19)
- Re: Philosophy of DMZ Scholz, Greg (Apr 19)
- Re: Philosophy of DMZ Barros, Jacob (Apr 19)
- Re: Philosophy of DMZ Ron Parker (Apr 19)
- Re: Philosophy of DMZ Mills, Michael (Apr 20)
- Re: Philosophy of DMZ Davis, Thomas R. (Apr 20)
- Re: Philosophy of DMZ Daniel Adinolfi (Apr 20)
- Re: Philosophy of DMZ Scholz, Greg (Apr 20)
- Re: Philosophy of DMZ Kowal, Michael (Apr 20)
- Re: Philosophy of DMZ Herrera Reyna Omar (Apr 20)
- Re: Philosophy of DMZ Cal Frye (Apr 20)