Educause Security Discussion mailing list archives

Re: DMZ

From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Wed, 19 Apr 2006 15:01:03 -0400

One private reply to question 5 was 

 
5) How do you implement your DMZ?  Do you use a switch and partition it
off so that servers in the DMZ can not talk to each other?
"       Our DMZ is a single switch plugged directly into the dmz port on
the firewall.  However, we also took a second port on that switch and
plugged it into the main network into a vlan that does not have any
routing enabled so if someone insists on the physical location not being
the room where the switch is, we can give it to them but we prefer not
to do this due to management overhead.  Also, CS has kept their "server
farm" as a small part of their subnet because they have been very
helpful and reasonable at getting it down to a very small rule set of
what can get in."


I found this solution interesting, what does everyone think about this.
I have always gone on the assumption that VLANs are not secure.  However
your solution does have some appeal.  I am curious about the opinions of
others.

thanks

Martin D. Flagg 
Network Engineer/Administrator 
Hiram College

Current thread:

DMZ Flagg, Martin D. (Apr 19)
- <Possible follow-ups>
- Re: DMZ Cal Frye (Apr 19)
- Re: DMZ Flagg, Martin D. (Apr 19)
- Re: DMZ Graham Toal (Apr 19)