Thread: Functional based DMZs - Your thoughts?
View Single Post
  #7 (permalink)  
Old 2007-04-27
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 909
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: Functional based DMZs - Your thoughts?
Try thinking of a DMZ as a security zone, not a functionality zone. Devices that are similar in security risk should be on the same DMZ.

For example, your SMTP gateways could reside on the same DMZ. However database servers or servers that can access backend databases could be on a different DMZ.

The comment about a compromised DMZ device is dead on. If someone gets root or admin access, they can do anything to anything else on the DMZ. Even if you subnet everything as 255.255.255.255 so they have to be routed between each other via the firewall, if I have root on a box I can change its subnet mask or IP address or anything.

Ray
Reply With Quote