[fw-wiz] Per application port DMZ segments?

From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 01/18/05

  • Next message: Nathaniel Hall: "[fw-wiz] Ciscoworks with IPTables"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 18 Jan 2005 11:27:10 -0600


    I have a customer that is considering implementing VLANs in their DMZ module
    such that every application sits on a dedicated VLAN/DMZ segment. So for
    example FTP, DNS, HTTP, Citrix, etc would each have their own VLAN/DMZ
    segment. Now, every fiber in my being says this is a bad idea for a number
    of reasons:

    1) I think it will be near impossible to manage long term
    2) The well known issue of VLANs and VLAN hopping
    3) The introduction of complex routing in the DMZ
    4) The requirement for entirely too many IP subnets in the DMZ
    5) KISS - I think this is just going to be an entirely complex design and
    implementation, which in general I have found complexity and security at
    odds over things like misconfigurations...

    As I understand it, the impetus for this is that their IDS generates too
    many false positives and they think that by restricting a specific
    application to a VLAN they can reduce the false positives (essentially if
    the DMZ should only have port 25 traffic, everything else is a false
    positive). Now, I see that as a case of the tail wagging the dog, IOW a
    crappy IDS implementation dictating the design.

    Another justification that has been put forth is to segment resources,
    however I think that using private VLANs (they are a Cisco shop) is a better
    solution - after all, even with per application VLANs the servers in that
    VLAN will still be able to communicate with each other unless you do
    something else.

    So, does anyone know of any references, etc. that I can put in front of said
    client to show them how this is a bad idea, or conversely have any
    references that can show me that it's not as bad as I think it is?


    Wes Noonan
    Hardening Network Infrastructure - A concise how to guide
    Available Now!!
    Order at http://tinyurl.com/5852c

    firewall-wizards mailing list

  • Next message: Nathaniel Hall: "[fw-wiz] Ciscoworks with IPTables"

    Relevant Pages

    • Re: Clueless firewall configuration ?
      ... Good point the company I work for have a core 4507, amount other devices, and a few 3500 series as the dmz for our web server and a few others ... between the vlans (oh and we are a big production site that relies on ... Download FREE whitepaper on how a managed service ...
    • Re: Deploying a DMZ Internationally
      ... Subject: Deploying a DMZ Internationally ... that there is almost always a lack of corporate security policies in place ... In addition to VLANS you should work on defining security domain boundaries. ... > involved with moving servers to these DMZs and the warfare that will ...
    • Re: ASA 5505 with three separate networks
      ... the docs say that the base lic offers 3 VLANs, the Plus lic ahs a ... What's special about this DMZ and what's the difference to a 3rd ... Best guess is that it "does" support 3 interface, ...
    • Re: VALN hopping
      ... I would not trust logical seperation for a DMZ. ... > like the idea of having mixed security VLANs on the same switch. ... > comes to network design. ...
    • Re: Workgroups
      ... complete segment is viewable via MyNetworkPlaces if there is no ... VLANs. ... (if you can resolve the name) ...