Re: Per application port DMZ segments?

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 18 Jan 2005, Wes Noonan wrote:

> All,
>
> I have a customer that is considering implementing VLANs in their DMZ module
> such that every application sits on a dedicated VLAN/DMZ segment. So for
> example FTP, DNS, HTTP, Citrix, etc would each have their own VLAN/DMZ
> segment. Now, every fiber in my being says this is a bad idea for a number
> of reasons:
>
> 1) I think it will be near impossible to manage long term

Agreed.

> 2) The well known issue of VLANs and VLAN hopping

Implementation dependent.

> 3) The introduction of complex routing in the DMZ

Supposing things don't need to intercommunicate, that shouldn't be an
issue, just supernet at the router (who gets to break the separation
anyway.)  If they do need to, then someone should have another look at why
things are a tangled mess.

> 4) The requirement for entirely too many IP subnets in the DMZ

Supernetting is your friend.

> 5) KISS - I think this is just going to be an entirely complex design and
> implementation, which in general I have found complexity and security at
> odds over things like misconfigurations...

Undoubtedly, let alone auditing the mess or a regular basis.

> As I understand it, the impetus for this is that their IDS generates too
> many false positives and they think that by restricting a specific
> application to a VLAN they can reduce the false positives (essentially if
> the DMZ should only have port 25 traffic, everything else is a false
> positive). Now, I see that as a case of the tail wagging the dog, IOW a
> crappy IDS implementation dictating the design.

Yep- plus everything else might *not* be a false positive- especially if
they live in Trojan land, DoS land, or "the admin just loaded $foo" land.

> Another justification that has been put forth is to segment resources,
> however I think that using private VLANs (they are a Cisco shop) is a better
> solution - after all, even with per application VLANs the servers in that
> VLAN will still be able to communicate with each other unless you do
> something else.
>
> So, does anyone know of any references, etc. that I can put in front of said
> client to show them how this is a bad idea, or conversely have any
> references that can show me that it's not as bad as I think it is?

> Hardening Network Infrastructure - A concise how to guide

Shoulda put it in the book ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards