DMZ or no DMZ architecture?

Hi group! My company IT network architecture actually is based on
separation between DMZ zone (Mail, Web and DNS servers) and intranet
zone (Windows 2000 AD, Exchange and internals aplication servers)
managed by IPCOP Box (orange and green zone). IPCop is also used as
external firewall/NAT/Proxy. We have a security audition by an
external company and they recommend to eliminate DMZ zone and
integrate all servers into an high disponibility linux cluster. I
think that this is not a really good idea and there's not
justification to eliminate DMZ zone, perhaps it would be more secure
to have 2 clusters, one in DMZ and the other one in green zone. Am I
thinking OK? Any sugestion? Thanks in advance

Re: DMZ or no DMZ architecture?

tabletoni@gmail.com wrote:


> We have a security audition by an
> external company and they recommend to eliminate DMZ zone and
> integrate all servers into an high disponibility linux cluster. I

They seem to have no clue, so I'd recommend you don't pay them.

> I think that this is not a really good idea and there's not
> justification to eliminate DMZ zone,

It is correct, to put servers that offer public services in one or more
seperate subnets.

> perhaps it would be more secure
> to have 2 clusters, one in DMZ and the other one in green zone. Am I
> thinking OK? Any sugestion?

There is nothing wrong with clustering and there is nothing wrong with
subnetting.

Wolfgang