Re: Rethinking the DMZ

[John Hoffoss <John.Hoffoss () SO MNSCU EDU>]

On 30 Aug 2012, at 20:09 , Harry Hoffman <hhoffman () IP-SOLUTIONS NET> wrote:

> Heya Jason,
>
> Our mantra has always been: "Each host on our network must be able to
> protect itself" and so we don't have a DMZ. Every host is meant to be
> running a host based firewall that allows for specific services to be
> accessible from predetermined locations.

Harry, that sounds nice, but you have no extra control there. While I would love to see a host-based layer everywhere, 
going from managing two firewall rulesets to several hundred firewalls is far beyond our capability. 

> On 08/30/2012 05:09 PM, Youngquist, Jason R. wrote:
> > We are thinking about changing our network architecture.
> >
> > As our network has grown and the complexity of our public facing systems
> > and connectivity needs of those systems has increased, we are wondering
> > what value our DMZ delivers. 

A DMZ very much still provides value IMO. I sleep better knowing I'm not relying on one host-based config controlled by 
N server admins to prevent constituents (or the innernets) from connecting to our Oracle databases, our identity 
solutions, etc. While this doesn't provide me much intra-network control, by separating networks appropriately and 
putting hard borders between, I can make sure most interesting server interactions end up inter-network and thereby 
cross one or more well-controlled borders. 

> > As an example, public facing systems in the DMZ that require access to
> > LDAP/AD for AAA, SQL for database lookups, Exchange for mail delivery
> > and relay, etc.

A DMZ doesn't need to be a black-hole to provide value and protection. I'd rather maintain a perimeter around that 
network, very tightly control egress, and other perimeters around the other networks where I tightly control ingress, 
rather than put those servers inside my one and only server perimeter, have little control over both ingress and 
egress, and rely on individual host-based firewall configs all around. Unless we get 3X more server admins, then 
perhaps I'd switch. But that's not cheaper or more efficient from where I sit.

> > For those of you with non-trivial public facing systems, where do you
> > draw the balance line between security and access?  If our most visible
> > public facing systems (most likely to be attacked) require internal AAA
> > & SQL access, what are we protecting? 

Uh, all of those internal systems that the internet should not talk to? With a "non-trivial" exposure, it becomes that 
much more important to define and maintain those lines, lest you wind up trying to unwind and map out the world largest 
twine ball.

> > Given current system requirements and the evolution of security, are the
> > reasons for setting up a DMZ 15 years ago still valid, and is the value
> > of maintaining a DMZ worth the associated costs and if not, what are the
> > alternatives? 

Yes, I think so. Cloud/hosted services affects the calculation, but it's certainly not out the window. Would you give 
up using antivirus software? Passwords?

-jth