Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Mon, 10 Sep 2012 17:59:22 +0000
Our model is for all inter-subnet traffic to traverse the firewalls, even if the firewall is just passing the traffic w/o anything other than an “ALLOW/PERMIT” rule. The FW also acts as an IDS/IPS and has Data Loss Prevention/Protection capabilities. This model, while throwing A LOT of traffic through the FW, allows a good deal of visibility for us on the network when things do to wrong. As far as rule bases, most of our rules deal with inbound traffic and/or data center traffic. By using a NGFW, we only allow certain applications to hit our servers. This keeps rogue processes from being spawned, in the event that something is compromised. In essence, the whole network in a DMZ. Security, by its very nature, is supposed to be a paranoid topic. Even if we’re being liberal about the statistics, we’d be 50/50 on internal/external attacks, etc. I think the idea of a border-only FW is not much of a security measure as it is a minimal security effort. The whole Zero Trust Networking principal that (I think) Forrester Research is pushing is something we subscribe to. We have had discussions about moving to a perimeter firewall and controlling internal traffic via ACL’s. This would remove IDS/IPS functionality and create a huge overhead. Central (or minimal) management is key for quick response .. whether that response is to a FW change request, or tracking down malicious activity. -Brian Helman From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Youngquist, Jason R. Sent: Thursday, August 30, 2012 5:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Rethinking the DMZ We are thinking about changing our network architecture. As our network has grown and the complexity of our public facing systems and connectivity needs of those systems has increased, we are wondering what value our DMZ delivers. As an example, public facing systems in the DMZ that require access to LDAP/AD for AAA, SQL for database lookups, Exchange for mail delivery and relay, etc. For those of you with non-trivial public facing systems, where do you draw the balance line between security and access? If our most visible public facing systems (most likely to be attacked) require internal AAA & SQL access, what are we protecting? Given current system requirements and the evolution of security, are the reasons for setting up a DMZ 15 years ago still valid, and is the value of maintaining a DMZ worth the associated costs and if not, what are the alternatives? Thanks. Jason Youngquist, CISSP Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu<mailto:jryoungquist () ccis edu> http://www.ccis.edu
Current thread:
- Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)