- 2001: SANS: http://www.sans.org/reading-room/whitepapers/firewalls/designing-dmz-950?show=designing-dmz-950&cat=firewalls
- 2010: Tufin's Chief Security Architecture: http://www.eweek.com/c/a/Security/How-to-Design-a-Secure-DMZ/
- Unfortunately it's a very short article. Michael does make some great points: "The temptation is to create rules allowing inbound access from the DMZs to the internal network. This should never be allowed. All the services that are needed should be moved into DMZs so that internal networks are never exposed" and his classification of DMZ designs into Levels 1-4 is a good start.
- http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/itsg38-eng.html - Canada's high level abstraction of DMZ architecture into a security zoning policy The DMZ, if one exists, forms part of the PAZ in this documentation.
Vendor product papers:
- http://www.redcannon.com/vDefense/VMZoning_wp.pdf
- IBM have written an entire book: http://www.redbooks.ibm.com/redbooks/pdfs/sg246014.pdf It's called Enterprise Security Architecture, but handily for this blog it dives in, Chapter 2, with a whole section on network architecture. Unfortunately it doesn't say anything very useful. It has another terrifying suggestion: put a reverse proxy in the DMZ and use it to forward connections to a web server in a more secure zone.
Things I need to read still:
- http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
- http://www.intel.co.uk/content/dam/www/public/us/en/documents/white-papers/cloud-security-and-secure-virtualization-paper.pdf
No comments:
Post a Comment