segmentation of DMZs

["Shimon Silberschlag" <shimons () bll co il>]

As a spin-off for the thread "Flat vs. Segmented DMZ's", I would like
to ask the group if they support/oppose segmenting even segments
conducting the same work to sub-segments.

Lets say we have an hypothetical internet infrastructure composed of 3
different segments: presentation, business logic and databases. The
inter-segment traffic is controlled using switch level protection -
either "protected ports" if layer 2 or ACLs if layer 3. Now, some
folks here offer to further segment the infrastructure by having
separate physical segments for presentation servers (WWW) that provide
authenticated services (and hence have as audience a small subset of
the internet crowd but do provide much more sensitive information) and
those that are not authenticated (thus can serve the entire internet
population). They also would like to break the database segment to 2
sub-segments for "sensitive" databases and those that are "not so
sensitive".

I would like to enquire if anyone in the group either implemented such
a design or supports it, and what are the reasons for doing so. If you
think this is an overkill, pls do specify why.

Shimon Silberschlag

+972-3-9352785
+972-51-207130

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards