Re: Rethinking the DMZ

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

Heya Jason,

Our mantra has always been: "Each host on our network must be able to
protect itself" and so we don't have a DMZ. Every host is meant to be
running a host based firewall that allows for specific services to be
accessible from predetermined locations.

That doesn't mean that having backup access controls in place is a bad
thing.


Cheers,
Harry

On 08/30/2012 05:09 PM, Youngquist, Jason R. wrote:
> We are thinking about changing our network architecture.
>
>  
>
> As our network has grown and the complexity of our public facing systems
> and connectivity needs of those systems has increased, we are wondering
> what value our DMZ delivers. 
>
>  
>
> As an example, public facing systems in the DMZ that require access to
> LDAP/AD for AAA, SQL for database lookups, Exchange for mail delivery
> and relay, etc.
>
>  
>
> For those of you with non-trivial public facing systems, where do you
> draw the balance line between security and access?  If our most visible
> public facing systems (most likely to be attacked) require internal AAA
> & SQL access, what are we protecting? 
>
>  
>
> Given current system requirements and the evolution of security, are the
> reasons for setting up a DMZ 15 years ago still valid, and is the value
> of maintaining a DMZ worth the associated costs and if not, what are the
> alternatives? 
>
>  
>
>  
>
> Thanks.
>
> Jason Youngquist, CISSP
>
> Information Technology Security Engineer
>
> Technology Services
>
> Columbia College
>
> 1001 Rogers Street, Columbia, MO  65216
>
> (573) 875-7334
>
> jryoungquist () ccis edu <mailto:jryoungquist () ccis edu>
>
> http://www.ccis.edu