VIP policies to LAN or DMZ ?

Question

Hello, we have a DMZ vdom, however we still have many legacy incoming public VIP rules that point to our 'non-DMZ' LAN vdom.

Is this considered bad security practice?

These public facing VIP rules are quite strict with ports allowed, but I just feel that any public facing ports at all should be directed to the DMZ ?

Am I being to wary ?

ede_pfau · Answer

Nope. IMHO if you take the pain, cost and effort to create a DMZ VDOM in the first place you are obliged to adhere to these principles. I tend to explain to customers what a DMZ is for in saying "imagine the servers in the DMZ are hacked and now under control of some evil guy - what can happen?". Which prevents policies from DMZ to LAN, for instance. Sometimes workflows have to be redesigned for this, but better you put some effort here than fix a leak later.

Whenever I encounter VIP access rules in a firewall I feel uncomfortable. Sometimes you can replace them with VPN access and tight policies, which is way more secure. But it'll take more effort.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded