[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Questions about a DMZ config

To: Neil Watson <sage@watson-wilson.ca>
Subject: Re: [SAGE] Questions about a DMZ config
From: Cat Okita <cat@reptiles.org>
Date: Thu, 11 Jan 2007 09:22:53 -0500 (EST)
cc: sage-members@usenix.org
In-Reply-To: <20070111140627.GA29385@watson-wilson.ca>
References: <20070111140627.GA29385@watson-wilson.ca>
Sender: owner-sage-members@usenix.org

On Thu, 11 Jan 2007, Neil Watson wrote:
> I've come across a DMZ design that I've not seen before.  It seems
> somewhat flawed to me.  I'd like to hear the opinions of other Sage
> members.
>
> Internet
>  |
> FW
>  |
> 192.168.32.0/24
> (web servers, external DNS, mail gateways)
>  |
> FW
>  |
> 192.168.42.0/24
> (middle-ware)
>  |
> FW
>  |
> Internal Network.

It's not an unusual configuration - I've seen it in a variety of
environments.  It's designed to isolate components, and typically also
uses different types of firewall, for better defence against monoculture
vulnerabilities.

> Is this type of arrangement typical?  Is another DNS service required to
> fix this problem or there a more serious flaw?

I'd normally expect to see split DNS here...

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

Follow-Ups:
- Re: [SAGE] Questions about a DMZ config
  - From: Matt Pounsett <matt@conundrum.com>

References:
- [SAGE] Questions about a DMZ config
  - From: Neil Watson <sage@watson-wilson.ca>

Prev by Date: [SAGE] Questions about a DMZ config
Next by Date: Re: [SAGE] Questions about a DMZ config
Prev by thread: [SAGE] Questions about a DMZ config
Next by thread: Re: [SAGE] Questions about a DMZ config
Index(es):
- Date
- Thread