Re: Rethinking the DMZ

[Brian Helman <bhelman () SALEMSTATE EDU>]

Our model is for all inter-subnet traffic to traverse the firewalls, even if the firewall is just passing the traffic 
w/o anything other than an “ALLOW/PERMIT” rule.  The FW also acts as an IDS/IPS and has Data Loss Prevention/Protection 
capabilities.  This model, while throwing A LOT of traffic through the FW, allows a good deal of visibility for us on 
the network when things do to wrong.

As far as rule bases, most of our rules deal with inbound traffic and/or data center traffic.  By using a NGFW, we only 
allow certain applications to hit our servers.  This keeps rogue processes from being spawned, in the event that 
something is compromised.  In essence, the whole network in a DMZ.

Security, by its very nature, is supposed to be a paranoid topic.  Even if we’re being liberal about the statistics, 
we’d be 50/50 on internal/external attacks, etc.  I think the idea of a border-only FW is not much of a security 
measure as it is a minimal security effort.  The whole Zero Trust Networking principal that (I think) Forrester 
Research is pushing is something we subscribe to.  We have had discussions about moving to a perimeter firewall and 
controlling internal traffic via ACL’s.  This would remove IDS/IPS functionality and create a huge overhead.  Central 
(or minimal) management is key for quick response .. whether that response is to a FW change request, or tracking down 
malicious activity.

-Brian Helman

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Youngquist, Jason R.
Sent: Thursday, August 30, 2012 5:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Rethinking the DMZ

We are thinking about changing our network architecture.


As our network has grown and the complexity of our public facing systems and connectivity needs of those systems has 
increased, we are wondering what value our DMZ delivers.



As an example, public facing systems in the DMZ that require access to LDAP/AD for AAA, SQL for database lookups, 
Exchange for mail delivery and relay, etc.



For those of you with non-trivial public facing systems, where do you draw the balance line between security and 
access?  If our most visible public facing systems (most likely to be attacked) require internal AAA & SQL access, what 
are we protecting?



Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago 
still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives?





Thanks.

Jason Youngquist, CISSP

Information Technology Security Engineer

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

jryoungquist () ccis edu<mailto:jryoungquist () ccis edu>

http://www.ccis.edu