Functional based DMZs - Your thoughts?

[diago]

In our environment we have a External DMZ with a variety of servers performing a variety of functions, and some of these talk directly to our internal private network for resources like databases. I've inherited the environment, but I'd like to limit the servers talking directly to the internal database servers and I'd like to create a new functional based DMZ specifically to house the database servers. What are people's thoughts on this? What are people's thoughts on functional DMZs - in other words segregrating your servers into seperate DMZ like web, citrix for example?

Any comments appreciated. Thanks in advance.

[Robby Cauwerts]

a very-good-idea
Why putting everything that is public accessible on one "dmz"?
If someone manages to break in on one of these servers this means he can then attack all the other servers on the same dmz from the first compromised server, bypassing your firewall and probably also your ids.
Separate your servers in as much as possible different vlan's, connected by your firewall.
The idea of one big dmz is "bad design" and is asking for trouble.

[gfont96]

Hi diago,

Personally, I do that. I will have a 'web' dmz for web servers, an 'app' dmz for the middle tier app servers and maybe a 'db' dmz for database servers, a mail dmz for mail and so on.

Where I put stuff generally depends on what the thing does and how the developers are coding (they never do it the same twice !).

If possible, the DB's in the db dmz will be copies of the db's on the internal lan, that get updated from the internal lan, although as we move to more realtime apps, I am having to rethink this a bit.

It's a bit more painful and costly to set up in the first place, but can make life a little easier later down the line, but creating network diagrams is a bit more of a pain in the a**, damn visio !, no I don't have smartmap !

I would be interested to hear what others think.

Cheers,

George

[northlandboy]

port protect, or private VLANS on your switches can help mitigate damage if one public facing systems is compromised, and there are other systems on that VLAN.

[tdvit]

so with having functional DMZ's you would need more physical ports on your firewall yeah?

or if you used a cisco switch and setup vlans on it and not having them routing to eachother?

I like the idea havent heard of it before.

[MarioL]

For some customer types, it's very common to have at least 2 DMZs, one private and one public. Some customers I've been to, have taken DMZs to the extreme, having easily over 40 DMZ vlans.

[RayPesek]

Try thinking of a DMZ as a security zone, not a functionality zone. Devices that are similar in security risk should be on the same DMZ.

For example, your SMTP gateways could reside on the same DMZ. However database servers or servers that can access backend databases could be on a different DMZ.

The comment about a compromised DMZ device is dead on. If someone gets root or admin access, they can do anything to anything else on the DMZ. Even if you subnet everything as 255.255.255.255 so they have to be routed between each other via the firewall, if I have root on a box I can change its subnet mask or IP address or anything.

Ray

[lunatrick]

it definately sounds like a good idea - so you can control access to public facing stuff in dmz number one - and then control it again going from dmz 1 into dmz 2 - where the db stuff lives - so basically it's not possible to connect to zone 2 from the internet......in terms of logical seperation why even have eveything in one vlan - just trunk the interfaces using 802.1q and then have as many logically seperate dmz's as you need - using the layer 3 addressing on the firewall to route traffic in and out......much more granular control......

[lunatrick]

Quote:

Originally Posted by MarioL

For some customer types, it's very common to have at least 2 DMZs, one private and one public. Some customers I've been to, have taken DMZs to the extreme, having easily over 40 DMZ vlans.

thats sounds sensible - just having a large collection of logically seperate dmz's......in terms of tiers though once you get to four it just gets a bit out of control......3 security zones in my experience is enough.....

[chillyjim]

Quote:

Originally Posted by lunatrick

thats sounds sensible - just having a large collection of logically seperate dmz's......in terms of tiers though once you get to four it just gets a bit out of control......3 security zones in my experience is enough.....

With bridged interfaces, this makes even more sense. I have a customer that until recently was running SunScreen SPF, each DMZ server was on a separate interface (SunScreen was a switch not a bridge, so doing this in Check Point land isn't as easy).