Educause Security Discussion
mailing list archives
Re: DMZ versus TRUSTED ZONES (VLANs)
From: Robert Winding <bob () ALUMNI ND EDU>
Date: Mon, 13 Aug 2007 08:33:17 -0400
We use several DMZs, a private zone for Database servers, etc., a monitoring
zone, and a system administration VPN with two factor auth.
Our datacenter and servers are behind a firewall separate from our border.
In the datacenter firewall we have a traditional DMZ for public services and
an Administrative DMZ which houses services with a restricted constituency,
like faculty/staff. The admin dmz includes ERP servers and test systems for
public services, etc. Depending on the restriction we may require users to
logon to a group based VPN to gain access to these services. Generally, we
don't allow access to the private zone, however, there are some instances
where a restricted set of users needs query access or fat client access to a
database. In this case, the group based VPN is a required control point.
We are also creating a zoned architecture on campus, e.g. staff/admin zone,
student zone, etc. This will better support the access restrictions to
datacenter services. Currently, without the Group based VPN we have campus
proper, resnet, and wireless as separately identifiable address spaces.
We use NAT behind the firewall and have a NoNAT DMZ to support systems that
cannot function in a NAT'd environment.
If you want more info on our environment contact me directly at
rwinding () nd edu
University of Notre Dame
On 8/12/07, Deepak J. Mathew <deepakm () rice edu> wrote:
How do you define what servers go behind your DMZ VLANs and what servers
go behind the Trusted Zone VLANs? I've seen practices where servers that
need to be accessed by users are in the Trusted Zone and servers that need
limited or no access to the end user/public are put in the DMZ VLANs. How
do you define your zones? Thanks!
*Deepak J. Mathew*
*Systems Manager** - **Administrative Systems*