Solved: DMZ and Production Server design

shengkangjin · ‎04-11-2022

Hi Everyone,

I've just come across a DMZ design by someone else for the first time so I will need some advice/opinion on this.

From my knowledge, I'd separate the DMZ network and production servers onto 2 different network, 2 different physical interfaces, etc. a DMZ would allow only 2 unidirectional traffic, either from internet coming in, or from internal network going in. There's no going out sessions initiated within the DMZ that is allowed on the firewall.

However, the design that I'm looking at, takes the 'DMZ' server VMs (let's say, ADFS proxy) and production server VMs (Active Directory) onto the same physical server stacks, hook up onto the same physical interfaces of the same firewall, only give them different VLAN tags with hyper-v VM vlan tagging. Between the firewall and the server stacks, all network devices are to work in layer 2 with VLAN tags only. This forces all traffic going to the firewall as the closest layer 3 gateway and later decided by the firewall whether it should be forwarded or not, which, sort of does the job, currently.

My question is, is this a legit design which serves the purpose? If no, why not?

Another question, If there's future changes needed for this topology, let's say, to build a backup site for all servers. Would introduce a local Layer 3 gateway and separate DMZ onto different physical interface be easier to manage and route about? or should I just keep going with that the current status is? why or why not?

There are total of <10 physical servers and <20 VMs to consider about. Just some Active Directory and Printer servers etc, so no heavy traffic.

Thanks.

Flavio Miranda · ‎04-11-2022

What you are doing is creating a network segment in which the Firewall will be the layer 3. Which is not different from any other network segment you might already have.

As you described, DMZ has some characteristics. I just disagree from you in one point. When it comes to internet there will be in and out but when it comes to internal network, only in. The traffic can flow from internal to DMZ and from DMZ to the Internet or from the Internet to DMZ but not from DMZ to Internal.

Also, I wouldn´t put an Active Directory in a standard DMZ. I see this service as totally Internal. I see as candidate to a DMZ for example a Web server, Foreign WLC for Guest users, Voip Server, if you receive call from internet, VPN, etc.

I am not questioning you design, I think it is ok for the purpose, I just thing that the concept o DMZ is a bit different.

View solution in original post

Flavio Miranda · ‎04-11-2022

What you are doing is creating a network segment in which the Firewall will be the layer 3. Which is not different from any other network segment you might already have.

As you described, DMZ has some characteristics. I just disagree from you in one point. When it comes to internet there will be in and out but when it comes to internal network, only in. The traffic can flow from internal to DMZ and from DMZ to the Internet or from the Internet to DMZ but not from DMZ to Internal.

Also, I wouldn´t put an Active Directory in a standard DMZ. I see this service as totally Internal. I see as candidate to a DMZ for example a Web server, Foreign WLC for Guest users, Voip Server, if you receive call from internet, VPN, etc.

I am not questioning you design, I think it is ok for the purpose, I just thing that the concept o DMZ is a bit different.