Educause Security Discussion mailing list archives

Re: DMZ

From: Cal Frye <cjf () CALFRYE COM>
Date: Wed, 19 Apr 2006 14:32:44 -0400

Hi, Martin,
We "sort of" have a DMZ. We only use public addresses, but our central server
farm lives within a separate subnet/network segment within our machine room.
This subnet isn't so much protected as a whole as there is a careful set of ACLs
that govern who can talk to what within the subnet. Also, each system within is
itself hardened and protected from the others it doesn't need to see. Not quite
ideal, but it serves.

That means, in answer to your second question, that we also have other servers
around campus using less-well-protected addresses. So be it. Our main backup
application works fairly well across subnets, but Retrospect does not, so we
have multiple backup servers to cover Macs and desktops.

< opinion=strong > DMZs and Firewalls easily contribute to the
crispy-shell-chewy-center problem, so I don't look for anything magic to come
from their implementation. For our networks, the proper place for a firewall is
between our users and our servers, not at the edge. I've also heard some wag
among us refer to using the firewall to "protect the Internet from our users."
</opinion>

Within our server segment, many boxes have to talk to each other (lots of LDAP,
eDir synchronization, that sort of thing) so we see the benefit of not having
mere users within that segment ALSO. Trying to protect servers from each other
is a noble goal, but must be done carefully. If you've got it set up as in
question (5) I might come down in favor of (4) myself ;-)

But those aren't the only two options, of course. What is the reason given for
dismantling the DMZ?

--Cal Frye, Network Administrator, Oberlin College
   www.calfrye.com, www.pitalabs.com, www.ouuf.org

  "Make it idiot-proof and someone will make a better idiot."


Flagg, Martin D. wrote:


1) How many of you do not use DMZ's?

2) How many of you have had problems because the physical location of
your DMZ?
For example other departments wanting to run an Internet IP camera,
Computer Science departments running servers etc...

3) How do you deal with backups on your DMZ while not running these thru
your firewall?

4) These questions have been brought up here on Campus, because some
wish to get rid of the DMZs?

5) How do you implement your DMZ?  Do you use a switch and partition it
off so that servers in the DMZ can not talk to each other?

thanks


Martin D. Flagg
Network Engineer/Administrator
Hiram College

Current thread:

DMZ Flagg, Martin D. (Apr 19)
- <Possible follow-ups>
- Re: DMZ Cal Frye (Apr 19)
- Re: DMZ Flagg, Martin D. (Apr 19)
- Re: DMZ Graham Toal (Apr 19)