Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: John Hoffoss <John.Hoffoss () SO MNSCU EDU>
Date: Fri, 31 Aug 2012 20:13:43 +0000
On 30 Aug 2012, at 20:09 , Harry Hoffman <hhoffman () IP-SOLUTIONS NET> wrote:
Heya Jason, Our mantra has always been: "Each host on our network must be able to protect itself" and so we don't have a DMZ. Every host is meant to be running a host based firewall that allows for specific services to be accessible from predetermined locations.
Harry, that sounds nice, but you have no extra control there. While I would love to see a host-based layer everywhere, going from managing two firewall rulesets to several hundred firewalls is far beyond our capability.
On 08/30/2012 05:09 PM, Youngquist, Jason R. wrote:We are thinking about changing our network architecture. As our network has grown and the complexity of our public facing systems and connectivity needs of those systems has increased, we are wondering what value our DMZ delivers.
A DMZ very much still provides value IMO. I sleep better knowing I'm not relying on one host-based config controlled by N server admins to prevent constituents (or the innernets) from connecting to our Oracle databases, our identity solutions, etc. While this doesn't provide me much intra-network control, by separating networks appropriately and putting hard borders between, I can make sure most interesting server interactions end up inter-network and thereby cross one or more well-controlled borders.
As an example, public facing systems in the DMZ that require access to LDAP/AD for AAA, SQL for database lookups, Exchange for mail delivery and relay, etc.
A DMZ doesn't need to be a black-hole to provide value and protection. I'd rather maintain a perimeter around that network, very tightly control egress, and other perimeters around the other networks where I tightly control ingress, rather than put those servers inside my one and only server perimeter, have little control over both ingress and egress, and rely on individual host-based firewall configs all around. Unless we get 3X more server admins, then perhaps I'd switch. But that's not cheaper or more efficient from where I sit.
For those of you with non-trivial public facing systems, where do you draw the balance line between security and access? If our most visible public facing systems (most likely to be attacked) require internal AAA & SQL access, what are we protecting?
Uh, all of those internal systems that the internet should not talk to? With a "non-trivial" exposure, it becomes that much more important to define and maintain those lines, lest you wind up trying to unwind and map out the world largest twine ball.
Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives?
Yes, I think so. Cloud/hosted services affects the calculation, but it's certainly not out the window. Would you give up using antivirus software? Passwords? -jth
Current thread:
- Rethinking the DMZ Youngquist, Jason R. (Aug 30)
- Re: Rethinking the DMZ Jeff Moore (Aug 30)
- Re: Rethinking the DMZ Joel Rosenblatt (Aug 30)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)