Educause Security Discussion mailing list archives
Re: DMZ
From: Graham Toal <gtoal () UTPA EDU>
Date: Wed, 19 Apr 2006 15:06:17 -0500
5) How do you implement your DMZ? Do you use a switch and partition it off so that servers in the DMZ can not talk to each other?
The design we came up with at UTPA last year (which justified buying a Cisco PIX blade server to implement it) was a multi-DMZ system of independent zones. Some of those zones not only were firewalled, but none of the machines within the single zone itself could see any of its neighbours, which we did by issuing the machine with a /30 subnet, forcing it to see its neighbours only if it routed traffic via the Cisco router+fw. I.e. even though two machines had a direct connection via a switch, they couldn't see each other because they were on different subnets. I don't know any way of doing this design other than using a PIX, I have to confess. Because the PIX is so closely integrated with the router. Most other designs have problems because the firewall is on the wrong side of the router and the switches. The /30 subnet trick is real cute and worth considering, especially for desktops which have no requirement to see each other. The cost of doing it is that your DHCP server needs to know the MAC addresses of all its clients in order to give them a suitable IP range. Graham