Educause Security Discussion mailing list archives
Re: Philosophy of DMZ - Summary and direction change: Reverse proxy?
From: "Barros, Jacob" <jkbarros () GRACE EDU>
Date: Wed, 20 Apr 2005 09:42:10 -0500
Thanks for all the responses. If I could summarize the comments so far, it sounds like everyone is saying to find a way to keep the DMZ and secure the inside. I apologize for not describing our network's config in detail.. Just trying to keep the posts succinct. Our DMZ is the latter of the two models mentioned by Tom. It is behind our firewall. However as Michael mentioned, there is the task of opening ports for internal users or services to access DMZ resources. A long-term concern we have with this model is that the more servers we put in the DMZ, the greater the load we put on our pix. For example, the solution that prompted this thread will be primarily used on campus. If I could guess a figure, probably 80% of it's usage will be from internal users. That figure is common for all of our servers (primary website and email gateway excluded) as we are currently geared more toward on-campus students. No one eluded to the concept of proxying info to external users. Is anyone doing it? My assumption was that the fewer the 'holes' in the firewall, the better performance and less risk. In my mind it makes the most sense to have a few proxy servers in the DMZ answering all external requests for internal resources, but no one seems to be doing it. Is my assumption wrong? Am I barking up the wrong tree? Jake Barros Grace College -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Adinolfi Sent: Wednesday, April 20, 2005 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Philosophy of DMZ
So, the traditional idea of "DMZ vs. not DMZ" is a bit obsolete.
Instead, partition your network and systems
based on their security requirements and implement the technology to
satisfy those requirements for each
partition.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Philosophy of DMZ - Summary and direction change: Reverse proxy? Barros, Jacob (Apr 20)
- <Possible follow-ups>
- Re: Philosophy of DMZ - Summary and direction change: Reverse proxy? Alan Amesbury (Apr 20)