Re: [fw-wiz] segmentation of DMZs

From: Paul D. Robertson (
Date: 11/14/02

From: "Paul D. Robertson" <>
To: Shimon Silberschlag <>
Date: Thu Nov 14 07:03:02 2002

On Thu, 14 Nov 2002, Shimon Silberschlag wrote:

> either "protected ports" if layer 2 or ACLs if layer 3. Now, some
> folks here offer to further segment the infrastructure by having
> separate physical segments for presentation servers (WWW) that provide
> authenticated services (and hence have as audience a small subset of
> the internet crowd but do provide much more sensitive information) and
> those that are not authenticated (thus can serve the entire internet
> population). They also would like to break the database segment to 2
> sub-segments for "sensitive" databases and those that are "not so
> sensitive".
> I would like to enquire if anyone in the group either implemented such
> a design or supports it, and what are the reasons for doing so. If you
> think this is an overkill, pls do specify why.

I've always tried to segment traffic for the world at large from traffic
destined for smaller populations. Wherever I can, I've included physical
seperation in that plan.

I've done it for Web servers, most of the rationale being (a) physical
seperation wins, (b) If the infrastructure is similar, I'd prefer that the
more private machines not be found too easily (SBO, but helps when
someone's googling for victims,) (c) I could have a seperate
administrative staff for sensative things if it became necessary, (d) my
disaster plan for equipment failure could include limping along with
everything on the same switch if completely necessary, and (e) I could
enforce much more stringent security policies on private or semi-private
systems if necessary.

I like to also use different address ranges- if you're using post-CIDR
addresses, snarf address space from both providers, make them acceept
traffic for each other's ranges, and put the public stuff up on one set,
and the private stuff up on the other. If you use seperate AS' and do
some cross polination with multiple addresses for critical stuff for
emergency use, you can pretty much withstand any single-provider issue
(assuming you have a robust multiple-provider infrastructure.) There's
some "fun with DNS" stuff you can play with in there, but I'll spare
everyone DNS gymnastics stories, since this is way outside the original

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation