Hello, we have a DMZ vdom, however we still have many legacy incoming public VIP rules that point to our 'non-DMZ' LAN vdom.
Is this considered bad security practice?
These public facing VIP rules are quite strict with ports allowed, but I just feel that any public facing ports at all should be directed to the DMZ ?
Am I being to wary ?
Nope. IMHO if you take the pain, cost and effort to create a DMZ VDOM in the first place you are obliged to adhere to these principles. I tend to explain to customers what a DMZ is for in saying "imagine the servers in the DMZ are hacked and now under control of some evil guy - what can happen?". Which prevents policies from DMZ to LAN, for instance. Sometimes workflows have to be redesigned for this, but better you put some effort here than fix a leak later.
Whenever I encounter VIP access rules in a firewall I feel uncomfortable. Sometimes you can replace them with VPN access and tight policies, which is way more secure. But it'll take more effort.
User | Count |
---|---|
1904 | |
1141 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.