Darren Spruell wrote:
On Nov 19, 2007 10:53 PM, Clint Pachl <[EMAIL PROTECTED]> wrote:
In my DMZ research, some sources state that all services need to be
replicated in each DMZ. Following that advice, I would have to setup
Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like
a lot of work. What do you guys think?
A company I know just moved to this architecture. They have something
on the scope of 5 DMZs consisting of about 10 different
segments/tiers. This was the result of security architecture design
for "the most secure" setup to provide segmentation.
I think it sucks. While the amount of segmentation they have is
probably A Good Thing, the way it is implemented imposes this
necessary duplication of infrastructure services in each of the
segments. So instead of a pair of DNS servers, they've got a pair of
DNS servers *per segment.* Ditto for LDAP, DHCP, monitoring, backup
and administration jump servers. Maybe more. It significantly
increased the amount of systems that need to be maintained in the
organization. Introducing jump servers increased the number of
administrative accounts that were needed by everyone. It increased the
complexity of the design and processes for administration. It
increased the amount of replication of services and data transfer on
the networks for that. It significantly increased the cost to
implement. We have suspicions that it's now too difficult for
administrators to effectively maintain the hosts in these segments and
some may be slipping on patches, backups, or other necessary
administration tasks.
Moral: only do this crap if you can balance it out with the ability to
reasonably manage the outcome and not incur disproportionate cost to
the benefit it provides.
Thanks for that feedback. That example you gave sounds like an admin
nightmare.
I've decided to go with a fairly flat topology. I will have a single
DMZ, a LAN segment, and a segment for WLAN and use a single firewall to
route between the segments. Anything that will be directly accessible
from the Internet will go in the DMZ, otherwise everything else goes in
the LAN. I will poke holes in the firewall from the DMZ to the LAN as
necessary (i.e. webservers -> {database,kerberos,etc}). Every host on
the network will have pf enabled, only allowing services to specified
hosts. I will also be setting up nagios and snort to keep the network in
check and watch for "illegal communications" between servers.
I've done a lot of network and DMZ design research over the last 3 days.
I've looked at hundreds of websites and newsgroup postings and read the
following titles:
Building DMZs for Enterprise Networks
<http://www.amazon.com/Building-Enterprise-Networks-Robert-Shimonski/dp/1931836884/ref=sr_1_6?ie=UTF8&s=books&qid=1195677170&sr=1-6>
Designing and Building Enterprise DMZs
<http://www.amazon.com/Designing-Building-Enterprise-DMZs-Flynn/dp/1597491004/ref=sr_1_8?ie=UTF8&s=books&qid=1195677170&sr=1-8>
Designing Large Scale LANs
<http://www.amazon.com/Designing-Large-Scale-Kevin-Dooley/dp/0596001509/ref=sr_1_11?ie=UTF8&s=books&qid=1195677281&sr=1-11>
I've also built highly segmented networks and find them difficult to
manage and they have highly complex traffic flows and firewall rule
sets. And I don't believe they offer much more security because many
attacks are taking place at the application level and on the inside
carried out by compromised hosts. I think every server should be
hardened and monitored and trust no one.
In all my research, I like best this article about MIT's security
architecture:
http://www.computerworld.com/securitytopics/security/story/0,10801,100021,00.html
