Firewall Wizards mailing list archives
Per application port DMZ segments?
From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Tue, 18 Jan 2005 11:27:10 -0600
All, I have a customer that is considering implementing VLANs in their DMZ module such that every application sits on a dedicated VLAN/DMZ segment. So for example FTP, DNS, HTTP, Citrix, etc would each have their own VLAN/DMZ segment. Now, every fiber in my being says this is a bad idea for a number of reasons: 1) I think it will be near impossible to manage long term 2) The well known issue of VLANs and VLAN hopping 3) The introduction of complex routing in the DMZ 4) The requirement for entirely too many IP subnets in the DMZ 5) KISS - I think this is just going to be an entirely complex design and implementation, which in general I have found complexity and security at odds over things like misconfigurations... As I understand it, the impetus for this is that their IDS generates too many false positives and they think that by restricting a specific application to a VLAN they can reduce the false positives (essentially if the DMZ should only have port 25 traffic, everything else is a false positive). Now, I see that as a case of the tail wagging the dog, IOW a crappy IDS implementation dictating the design. Another justification that has been put forth is to segment resources, however I think that using private VLANs (they are a Cisco shop) is a better solution - after all, even with per application VLANs the servers in that VLAN will still be able to communicate with each other unless you do something else. So, does anyone know of any references, etc. that I can put in front of said client to show them how this is a bad idea, or conversely have any references that can show me that it's not as bad as I think it is? TIA Wes Noonan mailinglists () wjnconsulting com http://www.wjnconsulting.com Hardening Network Infrastructure - A concise how to guide Available Now!! Order at http://tinyurl.com/5852c _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- l2tp/Ipsec and pix Jean Caron (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Wes Noonan (Jan 19)
- RE: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Carson Gaspar (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- Re: Per application port DMZ segments? Kevin (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)