RE: Per application port DMZ segments?

[Carson Gaspar <carson () taltos org>]

I'll step up to argue _for_ the DMZ VLANs, just to get the positives aired 
[ NOTE: I think it's a dubious idea, but there are some "glass half full" 
upsides if you end up doing it ]

- Assuming you put a real firewall in place as the DMZ VLAN aggregator 
(that _is_ in the design, right?), you have a wonderful choke point for 
controlling inter-app communications. They can't randomly add crap and have 
it just work by virtue of being on the same, unfiltered, subnet. Several 
commercial firewalls support 802.1q trunks. I like Netscreen, but they 
aren't the only option.

- If the VLAN maintains integrity (which it _probably_ will), you have 
additional compartmentalization. So your FTP server(s) being compromised is 
less likely to allow them to leap to other servers.

- The firewall rules can actually be less complex, as services can be 
provisioned by subnet instead of by server IP. This also makes adding 
additional capacity to a given server farm easier, as it doesn't involve a 
firewall rule change. This could be viewed as a negative, of course.

- The discipline of keeping different services on different VLANs will 
probably help prevent new services being installed on existing servers 
without appropriate review

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards