Educause Security Discussion mailing list archives

Re: DMZ

From: Graham Toal <gtoal () UTPA EDU>
Date: Wed, 19 Apr 2006 15:06:17 -0500

5) How do you implement your DMZ?  Do you use a switch and 
partition it off so that servers in the DMZ can not talk to 
each other?


The design we came up with at UTPA last year (which justified
buying a Cisco PIX blade server to implement it) was a multi-DMZ
system of independent zones.

Some of those zones not only were firewalled, but none of the 
machines within the single zone itself could see any of its
neighbours, which we did by issuing the machine with a /30
subnet, forcing it to see its neighbours only if it routed
traffic via the Cisco router+fw.  I.e. even though two machines
had a direct connection via a switch, they couldn't see each
other because they were on different subnets.

I don't know any way of doing this design other than using a
PIX, I have to confess.  Because the PIX is so closely integrated
with the router.  Most other designs have problems because the
firewall is on the wrong side of the router and the switches.

The /30 subnet trick is real cute and worth considering, especially
for desktops which have no requirement to see each other. The
cost of doing it is that your DHCP server needs to know the
MAC addresses of all its clients in order to give them a suitable
IP range.


Graham

Current thread:

DMZ Flagg, Martin D. (Apr 19)
- <Possible follow-ups>
- Re: DMZ Cal Frye (Apr 19)
- Re: DMZ Flagg, Martin D. (Apr 19)
- Re: DMZ Graham Toal (Apr 19)