.

To DMZ or not to DMZ?

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Feb 02, 2007 4:25 pm

To DMZ or not to DMZ?

digg this story

That is the question.

It has been a long standing idea that a DMZ is a best practice when it comes to designing and implementing a corporate network. It's even required by some regulations (see article listings below). The argument not to use a DMZ has been gaining ground in discussions around the security community. The argument basically goes that once you break a system in the DMZ, they now have the keys to the kingdom. So network admins should secure every system as though it was internal and require proper authentication to gain access. That doesn't mean that you have to get rid of the DMZ, but maybe the DMZ is a crutch not to secure all systems properly. Take away the crutch, and you'r forced to do it correctly.

So here are a few questions:

1. Has anyone eliminated their DMZ and why? Without giving away too much info, describe your setup.

2. Are you considering removing it and why?

3. Will never get rid of it and why? Also without giving away too much info about your network, describe your setup, what's in and not in the DMZ and why?

Here are a few articles to get you thinking:

Dump Your DMZ!

DMZs for Dummies

SANS Resources

Explain the DMZ
DMZ - In information security, DMZ has multiple meanings. Classically it refers to the part of the perimeter between your service provider's point of demarcation and where you assume control. It can also mean any protected network, usually one at least partially accessible via the Internet. SANS has a number of papers shown below to help you learn about DMZ design and testing and also offers information security training in firewalls, DMZs and VPNs.

"Designing a DMZ" by Scott Young on DMZ design.

"Three Tired DMZs" by Chris Mahn on three tiered or complex DMZs, if this sounds like overkill to you, it is worth noting the Visa Security Commandments for credit card merchants specify a separate DMZ for credit card activity.

"Securing Extranet Connections" by Jeff Pipping on extranets, a special type of DMZ.

Hopefully this will spark some good debate,
Don
Last edited by don on Fri Feb 02, 2007 4:32 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

Kev

Post Sat Feb 03, 2007 9:46 am

Re: To DMZ or not to DMZ?

I would not be too eager to eliminate the DMZ.  There is a reason its well respected and has a good history.  A well set up DMZ that’s carefully monitored is very secure. Properly installed and maintained is the key. Also, why do so many think you have to have only one DMZ? You can have a DMZ behind another DMZ, etc…  In my experience, I am not seeing a proper set up and maintained DMZ being breached from the outside. It’s usually something not patched or poorly configured.  If it’s a very tight system and it’s breached, it’s usually from the inside.  Security today is actually very good if you can just get people to implement it properly.
<<

supafly613

User avatar

Newbie
Newbie

Posts: 12

Joined: Fri Feb 02, 2007 8:12 am

Location: Fredericton, New Brunswick, Canada

Post Sat Feb 03, 2007 6:51 pm

Re: To DMZ or not to DMZ?

I'm not sure I would ever feel comfortable eliminating the DMZ altogether, especially if the network is already built this way.

If possible, I think I'd be more open to getting rid of the DMZ as a leg hanging off my firewall and place it between 2 individual firewalls (see below):

(internet)
    |
(external_fw)
    |-----------------(dmz_server_farm)
(internal_fw)
    |
(internal_net)
Andrew Hay
NSA, CCSE Plus, CCNA, Security+, RHCE, GCIA, GCIH, SSP-MPA, SSP-CNSA
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Mon Feb 05, 2007 12:48 pm

Re: To DMZ or not to DMZ?

I also would not remove the DMZ. In my experience, I've seen a lot of networks that didn't have a DMZ to begin with, and if they had, they wouldn't have some of the problems they have.

Of course, if oyu're going to install a DMZ, you HAVE to make sure it's installed and configured correctly. If you don't you may as well not install one at all. It's not enough to just install a DMZ, you have to configure it correctly. That's half the job.
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Feb 05, 2007 1:20 pm

Re: To DMZ or not to DMZ?

A DMZ is another layer of security and you never can have too much layers when you are about to secure your network.

If you need to make a system accessible from the Internet I can't think of any reason to put such a system directly in a internal network - that would be the worst possible solution.
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Mon Feb 05, 2007 2:09 pm

Re: To DMZ or not to DMZ?

From a monitoring perspective, I really like having segregated security zones. Seeing a log that labels traffic from Ext to WebDMZ or something to that effect, just seems to make things easier when analyzing traffic. Especially if you break out your management traffic into its own zone. I'm definitely not a big fan of the people preaching deperimeterization or removing DMZ's. I think this is one case where more zones is actually better and worth the extra work to maintain or design.
<<

Bane

Post Wed Feb 07, 2007 5:11 pm

Re: To DMZ or not to DMZ?

I would not get rid of my DMZ ever. If properly configured, a DMZ adds security. By restricting access by the DMZ to the inside network, you reduce the risk and threat.

A properly configured DMZ server that has its access limited to say only accessing a backend application server can provide a very high level of security as extraneous access from the DMZ to the inside has been eliminated. It becomes much harder to take over a box when the attack profile has been drastically reduced.

Return to Editor-In-Chief

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software