On Tue, May 22, 2012 at 6:59 AM, Mohan Sundaram <[email protected]> wrote: > DMZ (De-Militarised Zone is a standard term used in securing your > perimeter. It is a wartime terminology. Essentially, it divides the area > that needs to be protected into different zone with different levels of > security and restrictions. Networks are treated the same way. Generally, > publicly accessible services behind a firewall are placed in a DMZ. The > LAN > within the organisation would be treated as a core, highly secure network. > Good practice to restrict traffic would be > > Public -> DMZ Allow using port forwarding. DMZ -> Public not allowed > LAN -> DMZ Allow using simple routing. DMZ -> LAN not allowed. > LAN -> Public Allow via proxies to monitor and restrict as needed, Public > -> LAN Not allowed.
In a larger enterprise context this is extended further: 1. There are two levels of firewalls 1) between Public to DMZ network and 2) between DMZ to LAN. These are physically different devices and sometimes even from different vendors. 2. Sometimes traffic within a single DMZ is further controlled through Private VLANs. Eg 1) an enterprise DMZ network can host hundreds of servers/applications. If one application is compromised the entire DMZ is exposed through this server/application. Eg. 2) If you use a web server + DB and web server is compromised the DB is totally exposed. Private VLANs are used to split a DMZ into smaller segments. http://en.wikipedia.org/wiki/Private_VLAN In several industries like banking and financial institutions, most of this is regulated and subject to routine audits. Eg. RBI, BSE/NSE routinely audit banks and stock traders and can revoke a license if non-compliant. Other organizations would do self audits or as requested by their customers. Enterprise IT security is difficult. There's a lot of technology, cost and effort involved, plus there's always new challenges to overcome. Suppose that's what security folks like about their work :-) - Raja _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
