Are DMZs still necessary?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Are DMZs still necessary?

We are running a PA-500.  Given it's abilities I am wondering if a DMZ is absolutely necessary.  Note:  I realize this is a wide open question, what servers are we using, what operating system, etc.  I am curious in more of a "general" sense.

There are obvious situations where a DMZ is a no brainer, hosting a site with SQL, money transactions, etc.

In our case we are an SMB and I am interested in publishing a couple of different servers to the outside world.  Neither of them are based on IIS but are accessed via HTTP/HTTPS.  Given the abilities of the PA and the fact they are not AD bound it seems I could probably publish them without using a DMZ at the application level.

Same question with Exchange OWA/Activsync.  Given the PA has the protocol definitions and is not just using ports, it seems like overkill to put the OWA/Activesync in a DMZ?

Any thoughts?

Thanks,

Bob

Highlighted
L4 Transporter

In my humble opinion a DMZ is still necessary because pivoting is still a tactic employed by the bad guys and pen testers. If you expose something to the Internet, assume it has vulnerabilities which would allow an attacker to get a shell on the box on the DMZ and pivot into your internal network. If you had that box 'sandboxed off' into its own zone with appropriate rules and profiles bound to it then you'd prevent pivoting.

Highlighted
L6 Presenter

Hi Bob,

Its good to have more security than less. I would suggest to have server in DMZ.

Prevention is better than cure.

Regards,

Hardik Shah

Highlighted
L4 Transporter

Hi Bob,

The nice thing about DMZ's is that you have the ability to control where the DMZ based server(s) can connect to internally and limit their connectivity to just those resources that they require to function correctly.  This limits your  exposure should the dmz server is compromised.

Phil

Highlighted
L6 Presenter

NIce one HITSEC ...

Highlighted
L7 Applicator

DMZs are very necessary and in fact we are adding all kinds of internal "DMZ" secure zones throughout the data center and organization to protect critical applications and data repositories.

We can no longer assume that all the attacks are outside to in.  But that any inside computer could eventually be in the hands of a bad actor.  So you need to consider what could a bad actor do from this point in the network?  Where can they go? What can they see?

Then if the compromised computer is inside a secured zone, DMZ or otherwise, how do we keep them there and not spread.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!