Educause Security Discussion mailing list archives
Re: DMZ
From: Cal Frye <cjf () CALFRYE COM>
Date: Wed, 19 Apr 2006 14:32:44 -0400
Hi, Martin, We "sort of" have a DMZ. We only use public addresses, but our central server farm lives within a separate subnet/network segment within our machine room. This subnet isn't so much protected as a whole as there is a careful set of ACLs that govern who can talk to what within the subnet. Also, each system within is itself hardened and protected from the others it doesn't need to see. Not quite ideal, but it serves. That means, in answer to your second question, that we also have other servers around campus using less-well-protected addresses. So be it. Our main backup application works fairly well across subnets, but Retrospect does not, so we have multiple backup servers to cover Macs and desktops. < opinion=strong > DMZs and Firewalls easily contribute to the crispy-shell-chewy-center problem, so I don't look for anything magic to come from their implementation. For our networks, the proper place for a firewall is between our users and our servers, not at the edge. I've also heard some wag among us refer to using the firewall to "protect the Internet from our users." </opinion> Within our server segment, many boxes have to talk to each other (lots of LDAP, eDir synchronization, that sort of thing) so we see the benefit of not having mere users within that segment ALSO. Trying to protect servers from each other is a noble goal, but must be done carefully. If you've got it set up as in question (5) I might come down in favor of (4) myself ;-) But those aren't the only two options, of course. What is the reason given for dismantling the DMZ? --Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com, www.ouuf.org "Make it idiot-proof and someone will make a better idiot." Flagg, Martin D. wrote:
1) How many of you do not use DMZ's? 2) How many of you have had problems because the physical location of your DMZ? For example other departments wanting to run an Internet IP camera, Computer Science departments running servers etc... 3) How do you deal with backups on your DMZ while not running these thru your firewall? 4) These questions have been brought up here on Campus, because some wish to get rid of the DMZs? 5) How do you implement your DMZ? Do you use a switch and partition it off so that servers in the DMZ can not talk to each other? thanks Martin D. Flagg Network Engineer/Administrator Hiram College