|
Firewall Wizards
mailing list archives
RE: Per application port DMZ segments?
From: Carson Gaspar <carson () taltos org>
Date: Tue, 18 Jan 2005 14:45:31 -0500
I'll step up to argue _for_ the DMZ VLANs, just to get the positives aired
[ NOTE: I think it's a dubious idea, but there are some "glass half full"
upsides if you end up doing it ]
- Assuming you put a real firewall in place as the DMZ VLAN aggregator
(that _is_ in the design, right?), you have a wonderful choke point for
controlling inter-app communications. They can't randomly add crap and have
it just work by virtue of being on the same, unfiltered, subnet. Several
commercial firewalls support 802.1q trunks. I like Netscreen, but they
aren't the only option.
- If the VLAN maintains integrity (which it _probably_ will), you have
additional compartmentalization. So your FTP server(s) being compromised is
less likely to allow them to leap to other servers.
- The firewall rules can actually be less complex, as services can be
provisioned by subnet instead of by server IP. This also makes adding
additional capacity to a given server farm easier, as it doesn't involve a
firewall rule change. This could be viewed as a negative, of course.
- The discipline of keeping different services on different VLANs will
probably help prevent new services being installed on existing servers
without appropriate review
--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
