digg this story

That is the question.

It has been a long standing idea that a DMZ is a best practice when it comes to designing and implementing a corporate network. It's even required by some regulations (see article listings below). The argument not to use a DMZ has been gaining ground in discussions around the security community. The argument basically goes that once you break a system in the DMZ, they now have the keys to the kingdom. So network admins should secure every system as though it was internal and require proper authentication to gain access. That doesn't mean that you have to get rid of the DMZ, but maybe the DMZ is a crutch not to secure all systems properly. Take away the crutch, and you'r forced to do it correctly.

So here are a few questions:

1. Has anyone eliminated their DMZ and why? Without giving away too much info, describe your setup.

2. Are you considering removing it and why?

3. Will never get rid of it and why? Also without giving away too much info about your network, describe your setup, what's in and not in the DMZ and why?

Here are a few articles to get you thinking:

Dump Your DMZ!

DMZs for Dummies

SANS Resources

Explain the DMZ
DMZ - In information security, DMZ has multiple meanings. Classically it refers to the part of the perimeter between your service provider's point of demarcation and where you assume control. It can also mean any protected network, usually one at least partially accessible via the Internet. SANS has a number of papers shown below to help you learn about DMZ design and testing and also offers information security training in firewalls, DMZs and VPNs.

"Designing a DMZ" by Scott Young on DMZ design.

"Three Tired DMZs" by Chris Mahn on three tiered or complex DMZs, if this sounds like overkill to you, it is worth noting the Visa Security Commandments for credit card merchants specify a separate DMZ for credit card activity.

"Securing Extranet Connections" by Jeff Pipping on extranets, a special type of DMZ.

Hopefully this will spark some good debate,
Don

I'm not sure I would ever feel comfortable eliminating the DMZ altogether, especially if the network is already built this way.

If possible, I think I'd be more open to getting rid of the DMZ as a leg hanging off my firewall and place it between 2 individual firewalls (see below):

(internet)
     |
(external_fw)
     |-----------------(dmz_server_farm)
(internal_fw)
     |
(internal_net)

A DMZ is another layer of security and you never can have too much layers when you are about to secure your network.

If you need to make a system accessible from the Internet I can't think of any reason to put such a system directly in a internal network - that would be the worst possible solution.

I would not get rid of my DMZ ever. If properly configured, a DMZ adds security. By restricting access by the DMZ to the inside network, you reduce the risk and threat.

A properly configured DMZ server that has its access limited to say only accessing a backend application server can provide a very high level of security as extraneous access from the DMZ to the inside has been eliminated. It becomes much harder to take over a box when the attack profile has been drastically reduced.