Educause Security Discussion mailing list archives

Re: Philosophy of DMZ

From: Cal Frye <cjf () CALFRYE COM>
Date: Wed, 20 Apr 2005 10:53:37 -0400

A good reason I dislike the term "DMZ." It's come to mean sufficient different
things to impair communications.

We're beginning to draw our servers into a separate routed subnet from the
users, but for now plan to rely mainly on ACLs to restrict access to them from
the different user communities. Most of the servers do not need to be
reconfigured for this to work, fortunately. We will be able to install a subnet
firewall in the future, but most currently bear host-based firewalls in addition
to the one at the border. It's not a DMZ in the traditional sense, but we are
adding another onion layer...

--Cal Frye, Network Administrator, Oberlin College
 www.ouuf.org, www.calfrye.com
GnuPG ID 43061C16, Public key http://www.calfrye.com/cfrye.asc

  "This 'telephone' has too many shortcomings to be a serious means of
communication." Western Union, 1876.


Barros, Jacob wrote:

I've run into a situation where a solution we are implementing requires
a web server to be on our inside network but needs to be accessed
externally.  This is happening much more frequently than I would like.
We're doing some long-term planning and my office would like some
feedback from other institutions.

If I'm going to have to keep adding servers that can be accessed
directly, is there still reason to have a DMZ? My understanding of
having a DMZ, is to not allow public external access to internal servers
and all requests to internal servers should be answered by a
proxy/reverse proxy server.  Am I just an idealist?

Can anyone share experiences with proxying?  Anyone ever scrap their
DMZ?  Any policies that you can share on external access to internal web
servers?

Jake Barros
Grace College

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Philosophy of DMZ, (continued)
- Re: Philosophy of DMZ Michael J. Benedetto (Apr 19)
- Re: Philosophy of DMZ Scholz, Greg (Apr 19)
- Re: Philosophy of DMZ Barros, Jacob (Apr 19)
- Re: Philosophy of DMZ Ron Parker (Apr 19)
- Re: Philosophy of DMZ Mills, Michael (Apr 20)
- Re: Philosophy of DMZ Davis, Thomas R. (Apr 20)
- Re: Philosophy of DMZ Daniel Adinolfi (Apr 20)
- Re: Philosophy of DMZ Scholz, Greg (Apr 20)
- Re: Philosophy of DMZ Kowal, Michael (Apr 20)
- Re: Philosophy of DMZ Herrera Reyna Omar (Apr 20)
- Re: Philosophy of DMZ Cal Frye (Apr 20)