Educause Security Discussion mailing list archives
Re: DMZ
From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Wed, 19 Apr 2006 15:01:03 -0400
One private reply to question 5 was 5) How do you implement your DMZ? Do you use a switch and partition it off so that servers in the DMZ can not talk to each other? " Our DMZ is a single switch plugged directly into the dmz port on the firewall. However, we also took a second port on that switch and plugged it into the main network into a vlan that does not have any routing enabled so if someone insists on the physical location not being the room where the switch is, we can give it to them but we prefer not to do this due to management overhead. Also, CS has kept their "server farm" as a small part of their subnet because they have been very helpful and reasonable at getting it down to a very small rule set of what can get in." I found this solution interesting, what does everyone think about this. I have always gone on the assumption that VLANs are not secure. However your solution does have some appeal. I am curious about the opinions of others. thanks Martin D. Flagg Network Engineer/Administrator Hiram College