I'm revising the Internet connectivity arrangements in my company and am wondering whether to implement a DMZ.
I've seen a few comments on the Microsoft ISA Configuration newsgroup about a DMZ being unncecessary with ISA Server 2004. I have inherited an ISA Server configuration which I'll be continuing to support. For example, these by Zachary Gutt, Technical Product Manager (ISA Server) in Feb 2003:
"A DMZ was beneficial when the servers in the DMZ did not need to communicate with the servers in the LAN. However, today this is not the case. Web servers now communicate with SQL backends.... To allow all of this communication through FW #1, so many holes need to be opened in that firewall that it just becomes Swiss cheese (i.e. it's not really doing anything). ...Many consultants I talk to today are saying that companies are moving back to these "flat" deployments, meaning they don't have DMZ's. This drastically reduces complexity, and is equivalently secure, or more secure."
I see where Zachary Gutt is coming from but isn't it the case that in a Windows environment, if the web servers were on a DMZ, they could be removed from the domain for example and hence there would be less of a risk if they were compromised, ie, if an intruder compromises the DMZ, they don't automatically gain access to the internal network? Isn't it also true that while certain ports would need to be opened up on the firewall to allow communication with the backend SQL Servers, the firewall could certainly restrict the number of ports to a minimum?
Here's another comment from Phillip Windell:
"So as far as I am concerned the only true, solid, "real" DMZ is the Back-to-Back DMZ. but even then I don't really like them because I think they are just and extra needless layer of complexity that isn't really required to make the LAN secure and they cause a lot of additional problems when trying to Publish internal resoureces to the Internet or perform VPN solutions."