HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 77 guests and 5 members online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Columnsarrow Editor-In-Chiefarrow To DMZ or not to DMZ?
EH-Net
February 08, 2012, 10:53:05 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: To DMZ or not to DMZ?  (Read 11115 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 3842


Editor-In-Chief


View Profile WWW
« on: February 02, 2007, 03:25:54 PM »
digg this story

That is the question.

It has been a long standing idea that a DMZ is a best practice when it comes to designing and implementing a corporate network. It's even required by some regulations (see article listings below). The argument not to use a DMZ has been gaining ground in discussions around the security community. The argument basically goes that once you break a system in the DMZ, they now have the keys to the kingdom. So network admins should secure every system as though it was internal and require proper authentication to gain access. That doesn't mean that you have to get rid of the DMZ, but maybe the DMZ is a crutch not to secure all systems properly. Take away the crutch, and you'r forced to do it correctly.

So here are a few questions:

1. Has anyone eliminated their DMZ and why? Without giving away too much info, describe your setup.

2. Are you considering removing it and why?

3. Will never get rid of it and why? Also without giving away too much info about your network, describe your setup, what's in and not in the DMZ and why?

Here are a few articles to get you thinking:

Dump Your DMZ!

DMZs for Dummies

SANS Resources

Explain the DMZ
DMZ - In information security, DMZ has multiple meanings. Classically it refers to the part of the perimeter between your service provider's point of demarcation and where you assume control. It can also mean any protected network, usually one at least partially accessible via the Internet. SANS has a number of papers shown below to help you learn about DMZ design and testing and also offers information security training in firewalls, DMZs and VPNs.

"Designing a DMZ" by Scott Young on DMZ design.

"Three Tired DMZs" by Chris Mahn on three tiered or complex DMZs, if this sounds like overkill to you, it is worth noting the Visa Security Commandments for credit card merchants specify a separate DMZ for credit card activity.

"Securing Extranet Connections" by Jeff Pipping on extranets, a special type of DMZ.

Hopefully this will spark some good debate,
Don
« Last Edit: February 02, 2007, 03:32:20 PM by don » Logged
CISSP, MCSE, CSTA, Security+ SME
Kev
Guest
« Reply #1 on: February 03, 2007, 08:46:53 AM »
I would not be too eager to eliminate the DMZ.  There is a reason its well respected and has a good history.  A well set up DMZ that’s carefully monitored is very secure. Properly installed and maintained is the key. Also, why do so many think you have to have only one DMZ? You can have a DMZ behind another DMZ, etc…   In my experience, I am not seeing a proper set up and maintained DMZ being breached from the outside. It’s usually something not patched or poorly configured.  If it’s a very tight system and it’s breached, it’s usually from the inside.  Security today is actually very good if you can just get people to implement it properly.
Logged
Andrew Hay
Newbie
*
Offline Offline

Posts: 12



View Profile WWW
« Reply #2 on: February 03, 2007, 05:51:30 PM »
I'm not sure I would ever feel comfortable eliminating the DMZ altogether, especially if the network is already built this way.

If possible, I think I'd be more open to getting rid of the DMZ as a leg hanging off my firewall and place it between 2 individual firewalls (see below):

(internet)
     |
(external_fw)
     |-----------------(dmz_server_farm)
(internal_fw)
     |
(internal_net)
Logged
Andrew Hay
NSA, CCSE Plus, CCNA, Security+, RHCE, GCIA, GCIH, SSP-MPA, SSP-CNSA
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
Oyle
Sr. Member
****
Offline Offline

Posts: 264


"Man. Nature. Technology".


View Profile WWW
« Reply #3 on: February 05, 2007, 11:48:25 AM »
I also would not remove the DMZ. In my experience, I've seen a lot of networks that didn't have a DMZ to begin with, and if they had, they wouldn't have some of the problems they have.

Of course, if oyu're going to install a DMZ, you HAVE to make sure it's installed and configured correctly. If you don't you may as well not install one at all. It's not enough to just install a DMZ, you have to configure it correctly. That's half the job.
Logged
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
pcsneaker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #4 on: February 05, 2007, 12:20:15 PM »
A DMZ is another layer of security and you never can have too much layers when you are about to secure your network.

If you need to make a system accessible from the Internet I can't think of any reason to put such a system directly in a internal network - that would be the worst possible solution.
Logged
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
oleDB
Recruiters
Full Member
*
Offline Offline

Posts: 236



View Profile WWW
« Reply #5 on: February 05, 2007, 01:09:58 PM »
From a monitoring perspective, I really like having segregated security zones. Seeing a log that labels traffic from Ext to WebDMZ or something to that effect, just seems to make things easier when analyzing traffic. Especially if you break out your management traffic into its own zone. I'm definitely not a big fan of the people preaching deperimeterization or removing DMZ's. I think this is one case where more zones is actually better and worth the extra work to maintain or design.
Logged
Bane
Jr. Member
**
Offline Offline

Posts: 80


View Profile
« Reply #6 on: February 07, 2007, 04:11:21 PM »
I would not get rid of my DMZ ever. If properly configured, a DMZ adds security. By restricting access by the DMZ to the inside network, you reduce the risk and threat.

A properly configured DMZ server that has its access limited to say only accessing a backend application server can provide a very high level of security as extraneous access from the DMZ to the inside has been eliminated. It becomes much harder to take over a box when the attack profile has been drastically reduced.
Logged
MSIA, CISSP, GPEN, GCIH, GCFW, GSEC, RHCT... And more alphabet soup..
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.117 seconds with 24 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge Training: Build Security Skills to Protect and Defend

offsec_130x200-2_jan-feb2012.png
Offensive Security
AWE Live in the Caribbean!
March 5 - 9, 2012

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: Refer_EHN
Including SANS Phoenix 2012, SANS 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.