Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Deke Kassabian <deke () ISC UPENN EDU>
Date: Tue, 4 Sep 2012 11:48:09 -0400
I'm a fan of border firewalls when the border can be drawn around the application servers and the stored data that warrant a serious level of protection that can be defined in terms of allowed protocol set. If you twist my arm, maybe I can also include expected community of users by network address as a poor stand-in for expected community of people, but I'd rather handle that part by strong authentication and additional Identity and Access Management infrastructure.
I'm less a fan of borders in some other situations, particularly when the idea is to draw it around a large enterprise such as a big university. The conceptual problem I have is that we are seeing huge growth in personally owned high function mobile devices that connect over both enterprise wireless networks and carrier 3G/4G networks. The same user on the same device would be "inside" one moment and "outside" the next, and may spend substantial time on other networks such as home networks or coffee shop networks where they can quickly go from clean to compromised.
All my instincts tell me that enterprise borders are less helpful, and that I want our focus to be on placing well-designed protection very close to the resources (data, app servers) we want to protect and to treat all else as public and untrusted, even if a device happens to have an IP address at the moment that "belongs" to the University.
I'm a fan of open networks, closed servers, protected sessions. On 9/4/12 10:50 AM, Julian Y Koh wrote:
On Aug 30, 2012, at 16:09 , Youngquist, Jason R. wrote:Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives?We never did a full-blown DMZ. Firewalls are deployed where needed and/or required, but everything else is just out on public IP space and not firewalled. A border firewall of some sorts will likely be in our future, but we will not be doing a complete re-architecture of our network to accommodate it.
-- Deke Kassabian, Senior Technology Director Information Systems and Computing, University of Pennsylvania
Current thread:
- Rethinking the DMZ Youngquist, Jason R. (Aug 30)
- Re: Rethinking the DMZ Jeff Moore (Aug 30)
- Re: Rethinking the DMZ Joel Rosenblatt (Aug 30)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)