Firewall Wizards mailing list archives
Re: Per application port DMZ segments?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 18 Jan 2005 14:02:56 -0500 (EST)
On Tue, 18 Jan 2005, Wes Noonan wrote:
All, I have a customer that is considering implementing VLANs in their DMZ module such that every application sits on a dedicated VLAN/DMZ segment. So for example FTP, DNS, HTTP, Citrix, etc would each have their own VLAN/DMZ segment. Now, every fiber in my being says this is a bad idea for a number of reasons: 1) I think it will be near impossible to manage long term
Agreed.
2) The well known issue of VLANs and VLAN hopping
Implementation dependent.
3) The introduction of complex routing in the DMZ
Supposing things don't need to intercommunicate, that shouldn't be an issue, just supernet at the router (who gets to break the separation anyway.) If they do need to, then someone should have another look at why things are a tangled mess.
4) The requirement for entirely too many IP subnets in the DMZ
Supernetting is your friend.
5) KISS - I think this is just going to be an entirely complex design and implementation, which in general I have found complexity and security at odds over things like misconfigurations...
Undoubtedly, let alone auditing the mess or a regular basis.
As I understand it, the impetus for this is that their IDS generates too many false positives and they think that by restricting a specific application to a VLAN they can reduce the false positives (essentially if the DMZ should only have port 25 traffic, everything else is a false positive). Now, I see that as a case of the tail wagging the dog, IOW a crappy IDS implementation dictating the design.
Yep- plus everything else might *not* be a false positive- especially if they live in Trojan land, DoS land, or "the admin just loaded $foo" land.
Another justification that has been put forth is to segment resources, however I think that using private VLANs (they are a Cisco shop) is a better solution - after all, even with per application VLANs the servers in that VLAN will still be able to communicate with each other unless you do something else. So, does anyone know of any references, etc. that I can put in front of said client to show them how this is a bad idea, or conversely have any references that can show me that it's not as bad as I think it is?
Hardening Network Infrastructure - A concise how to guide
Shoulda put it in the book ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- l2tp/Ipsec and pix Jean Caron (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Wes Noonan (Jan 19)
- RE: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Carson Gaspar (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- Re: Per application port DMZ segments? Kevin (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)