On Nov 19, 2007 10:53 PM, Clint Pachl <[EMAIL PROTECTED]> wrote: > In my DMZ research, some sources state that all services need to be > replicated in each DMZ. Following that advice, I would have to setup > Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like > a lot of work. What do you guys think?
A company I know just moved to this architecture. They have something on the scope of 5 DMZs consisting of about 10 different segments/tiers. This was the result of security architecture design for "the most secure" setup to provide segmentation. I think it sucks. While the amount of segmentation they have is probably A Good Thing, the way it is implemented imposes this necessary duplication of infrastructure services in each of the segments. So instead of a pair of DNS servers, they've got a pair of DNS servers *per segment.* Ditto for LDAP, DHCP, monitoring, backup and administration jump servers. Maybe more. It significantly increased the amount of systems that need to be maintained in the organization. Introducing jump servers increased the number of administrative accounts that were needed by everyone. It increased the complexity of the design and processes for administration. It increased the amount of replication of services and data transfer on the networks for that. It significantly increased the cost to implement. We have suspicions that it's now too difficult for administrators to effectively maintain the hosts in these segments and some may be slipping on patches, backups, or other necessary administration tasks. Moral: only do this crap if you can balance it out with the ability to reasonably manage the outcome and not incur disproportionate cost to the benefit it provides. DS
