Re: [SAGE] Questions about a DMZ config

[Matt Pounsett <matt@conundrum.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 11-Jan-2007, at 09:22 , Cat Okita wrote:

> On Thu, 11 Jan 2007, Neil Watson wrote:
>> I've come across a DMZ design that I've not seen before.  It seems
>> somewhat flawed to me.  I'd like to hear the opinions of other Sage
>> members.
>
> It's not an unusual configuration - I've seen it in a variety of
> environments.  It's designed to isolate components, and typically also
> uses different types of firewall, for better defence against  
> monoculture
> vulnerabilities.

Yeah, I've seen this one before too.  And agreed, in this layout I'd  
expect to see split DNS (or, in BIND parlance, "DNS Views") being used.

The way I'd normally implement this is a bit different though.  Using  
a firewall with more than two ports, I'd assign one to "outside", one  
to "inside", and the remaining ports to the different DMZs, using non- 
RFC1918 addresses in the DMZs.  It allows for problems stemming from  
monoculture, but uses less hardware, and can provide slightly more  
flexibility in the rules of who can speak to which DMZ, and on what  
ports.

Matt


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFpmGzae4z2vjbC8sRAjrhAKD2uG9b0onFZiewMv5CtseGfs4ccgCgxxx/
vrVEIf7R2emu6LPhxNZawAE=
=F4Xe
-----END PGP SIGNATURE-----