DMZ Implementation

[wANKER]

Currently we have our DMZ on physically separate network infrastructure. 

However I was doing some work today and it prompted the question of how other people do it. 

Do you physically separate your DMZ, or do you logically separate it through VLANs etc. to make deployments etc. easier and cheaper? I'm not too clued up on the security side of it, but know that VLANs on their own aren't inherently or at least by design secure. 

What's your take?  

[TheJM]

For me, it'd depend on how valuable the information assets on my network were.

 

At my house for my personal needs? Or even a small business with few or no internal resources/servers? I'd probably just do a VLAN. Theoretically it can be secure provided it's set up correctly, but the stakes aren't terribly high if something is wrong.

 

At a large company with mission-critical and/or proprietary data on internal servers? I'd probably separate physically to prevent human error, firmware security holes, etc. Too much risk involved in that scenario IMO.

[Lurick]

Depends on the architecture and infrastructure to secure. You could do VLANs if you only need L2 separation locally on the switch or if you need L2 and L3 upstream then introducing VRFs at L3 is the next logical step possibly along with firewalls to ensure upstream destined traffic doesn't hairpin back down and try to access a different VRF when/if you merge them at some point. I'm seeing more trends away from dedicated DMZ architectures though and a hybrid approach with VLANS/VRFs and firewalls, or in larger networks micro-segmentation of some sort on the host to permit and deny traffic at the host level so you can merge stuff and cut down on costs. Everything has it's risks and trade offs to some degree but it really depends, obviously, on what you want to secure and how sure you have to be that it's as foolproof as possible.