[fw-wiz] Per application port DMZ segments?
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
To: <email@example.com> Date: Tue, 18 Jan 2005 11:27:10 -0600
I have a customer that is considering implementing VLANs in their DMZ module
such that every application sits on a dedicated VLAN/DMZ segment. So for
example FTP, DNS, HTTP, Citrix, etc would each have their own VLAN/DMZ
segment. Now, every fiber in my being says this is a bad idea for a number
1) I think it will be near impossible to manage long term
2) The well known issue of VLANs and VLAN hopping
3) The introduction of complex routing in the DMZ
4) The requirement for entirely too many IP subnets in the DMZ
5) KISS - I think this is just going to be an entirely complex design and
implementation, which in general I have found complexity and security at
odds over things like misconfigurations...
As I understand it, the impetus for this is that their IDS generates too
many false positives and they think that by restricting a specific
application to a VLAN they can reduce the false positives (essentially if
the DMZ should only have port 25 traffic, everything else is a false
positive). Now, I see that as a case of the tail wagging the dog, IOW a
crappy IDS implementation dictating the design.
Another justification that has been put forth is to segment resources,
however I think that using private VLANs (they are a Cisco shop) is a better
solution - after all, even with per application VLANs the servers in that
VLAN will still be able to communicate with each other unless you do
So, does anyone know of any references, etc. that I can put in front of said
client to show them how this is a bad idea, or conversely have any
references that can show me that it's not as bad as I think it is?
firewall-wizards mailing list