Firewall Wizards mailing list archives
RE: Per application port DMZ segments?
From: Carson Gaspar <carson () taltos org>
Date: Tue, 18 Jan 2005 14:45:31 -0500
I'll step up to argue _for_ the DMZ VLANs, just to get the positives aired [ NOTE: I think it's a dubious idea, but there are some "glass half full" upsides if you end up doing it ]
- Assuming you put a real firewall in place as the DMZ VLAN aggregator (that _is_ in the design, right?), you have a wonderful choke point for controlling inter-app communications. They can't randomly add crap and have it just work by virtue of being on the same, unfiltered, subnet. Several commercial firewalls support 802.1q trunks. I like Netscreen, but they aren't the only option.
- If the VLAN maintains integrity (which it _probably_ will), you have additional compartmentalization. So your FTP server(s) being compromised is less likely to allow them to leap to other servers.
- The firewall rules can actually be less complex, as services can be provisioned by subnet instead of by server IP. This also makes adding additional capacity to a given server farm easier, as it doesn't involve a firewall rule change. This could be viewed as a negative, of course.
- The discipline of keeping different services on different VLANs will probably help prevent new services being installed on existing servers without appropriate review
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- l2tp/Ipsec and pix Jean Caron (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Wes Noonan (Jan 19)
- RE: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Carson Gaspar (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- Re: Per application port DMZ segments? Kevin (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)