Educause Security Discussion mailing list archives
Re: DMZ versus TRUSTED ZONES (VLANs)
From: Robert Winding <bob () ALUMNI ND EDU>
Date: Mon, 13 Aug 2007 08:33:17 -0400
Hi Dee, We use several DMZs, a private zone for Database servers, etc., a monitoring zone, and a system administration VPN with two factor auth. Our datacenter and servers are behind a firewall separate from our border. In the datacenter firewall we have a traditional DMZ for public services and an Administrative DMZ which houses services with a restricted constituency, like faculty/staff. The admin dmz includes ERP servers and test systems for public services, etc. Depending on the restriction we may require users to logon to a group based VPN to gain access to these services. Generally, we don't allow access to the private zone, however, there are some instances where a restricted set of users needs query access or fat client access to a database. In this case, the group based VPN is a required control point. We are also creating a zoned architecture on campus, e.g. staff/admin zone, student zone, etc. This will better support the access restrictions to datacenter services. Currently, without the Group based VPN we have campus proper, resnet, and wireless as separately identifiable address spaces. We use NAT behind the firewall and have a NoNAT DMZ to support systems that cannot function in a NAT'd environment. If you want more info on our environment contact me directly at rwinding () nd edu. Bob Winding Information Security University of Notre Dame On 8/12/07, Deepak J. Mathew <deepakm () rice edu> wrote:
How do you define what servers go behind your DMZ VLANs and what servers go behind the Trusted Zone VLANs? I've seen practices where servers that need to be accessed by users are in the Trusted Zone and servers that need limited or no access to the end user/public are put in the DMZ VLANs. How do you define your zones? Thanks! Dee *Deepak J. Mathew* *Systems Manager** - **Administrative Systems* *Rice University* *(t) 713-348-4328*
Current thread:
- DMZ versus TRUSTED ZONES (VLANs) Deepak J. Mathew (Aug 12)
- <Possible follow-ups>
- Re: DMZ versus TRUSTED ZONES (VLANs) Robert Winding (Aug 13)