Educause Security Discussion mailing list archives

Re: Philosophy of DMZ - Summary and direction change: Reverse proxy?

From: "Barros, Jacob" <jkbarros () GRACE EDU>
Date: Wed, 20 Apr 2005 09:42:10 -0500

Thanks for all the responses.  If I could summarize the comments so far,
it sounds like everyone is saying to find a way to keep the DMZ and
secure the inside.  I apologize for not describing our network's config
in detail.. Just trying to keep the posts succinct.

Our DMZ is the latter of the two models mentioned by Tom. It is behind
our firewall.  However as Michael mentioned, there is the task of
opening ports for internal users or services to access DMZ resources.  A
long-term concern we have with this model is that the more servers we
put in the DMZ, the greater the load we put on our pix.  For example,
the solution that prompted this thread will be primarily used on campus.
If I could guess a figure, probably 80% of it's usage will be from
internal users.  That figure is common for all of our servers (primary
website and email gateway excluded) as we are currently geared more
toward on-campus students.  

No one eluded to the concept of proxying info to external users. Is
anyone doing it?  My assumption was that the fewer the 'holes' in the
firewall, the better performance and less risk.  In my mind it makes the
most sense to have a few proxy servers in the DMZ answering all external
requests for internal resources, but no one seems to be doing it.  Is my
assumption wrong?  Am I barking up the wrong tree?

Jake Barros
Grace College 


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Adinolfi
Sent: Wednesday, April 20, 2005 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Philosophy of DMZ

So, the traditional idea of "DMZ vs. not DMZ" is a bit obsolete.

Instead, partition your network and systems

based on their security requirements and implement the technology to

satisfy those requirements for each

partition.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Philosophy of DMZ - Summary and direction change: Reverse proxy? Barros, Jacob (Apr 20)
- <Possible follow-ups>
- Re: Philosophy of DMZ - Summary and direction change: Reverse proxy? Alan Amesbury (Apr 20)