« Timpanogos | Main | Desktop provisioning set to music »

Is the DMZ losing relevance?

This is an idea that has come up in conversation a few times lately so I wanted to put it out there and see what everyone else thinks. I know it's a little bit on the crazy side, but the idea goes like this:

The practice of creating a De-Militarized Zone (DMZ - a network separating the Internet from the corporate LAN) is anachronistic. DMZ's started when computing was comparatively stationary. Computers were big boxes that sat on or under a worker's desk and were physically wired to the network. Physical location provided a good measure of security, because in order to get onto the corporate network you had to have a computer that was plugged into the office wall.

No longer. These days, ubiquitous wireless laptops follow users in and out of the office. Users run their applications from anywere, including the office, home or Wi-Fi hot spots.

To deliver those applications to remote users, network managers increasingly find themselves poking holes or adding NAT rules on the firewall that separates the DMZ from the corporate LAN. And the firewall rules that allow traffic into the LAN are typically exceptions granting access to the most trusted resources: domain controllers, web servers, application servers, SQL databases and the like. The CSO never wants to put another rule on that firewall, but application access trumps firewall configuration every time. Eventually, the inner firewall begins to resemble swiss cheese.

Furthermore, increased user mobility adds to the risk of an infected machine walking in through the front door under the arm of a trusted employee. The DMZ offers no protection here. IT groups respond by adding layers of anti-virus protection on all managed PC's and patching internal servers as though they were bastion hosts. Anti-X protection is everywhere: on the endpoints, on the servers and on the network.

Why then should we continue to spend time and money creating and maintaining a separate DMZ network? If the premise is that the DMZ subnet might become fully compromised and the attacker's access level should be restricted at that point by routing and firewall policies, then surely it is a false sense of security when access to sensitive back-end data is inevitably permitted in the name of application access.

Citrix is part of this question - we provide solutions that enable secure remote access to all types of applications (Access Gateway) and solutions that protect web applications where they are vulnerable: at the application layer (NetScaler and Application Firewall). In a typical deployment, the Access Gateway, NetScaler or App Firewall will be placed in the DMZ and then the poor network admin has to go and create firewall rules for everything that the Citrix devices will ever connect to on the LAN. A couple customers lately (who I would consider in the vanguard) have abandoned the practice of maintaining a firewall between their SSL VPN server and their internal LAN. It sure makes deployment and upkeep easier as new applications are added.

Of course, I don't expect many companies will walk away from the DMZ topology any time soon. The more paranoid use a dual-stage DMZ, which creates double challenges for enabling application access.

To put this in context I have been running a DMZ on my home network for the past year or so, and I have found it adds very little safeguard but makes day-to-day tasks more complicated than I care for. I'm just about ready to go back to a flat subnet protected by a good external firewall.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)