If you have a DMZ with one or more servers/services (maybe FTP, HTTP en SMTP). And you have a LAN with typical serversservices (like file sharing, Active Directory, database server).
Depending on the integration of services and resources, the firewall between the DMZ and LAN could have a lot of open ports. At what point would you consider not using a DMZ?
Thanks!
Best Answer
There is no realistic measurement in which I would consider not using a DMZ. With security, every extra bit you can get helps. The idea is, to limit the amount of attacks possible attacks. As admins, we often have to fight for the security we are allowed to implement, so take whatever you can get. Even if you have to completely open a host in your lan to the DMZ, one host is a lot better than every host.
A realistic example from what you said is putting a front-end exchange server in the DMZ, and a the back-end and active directory in the LAN. Even though these can still be reached from the DMZ, at least you have limited the possible ways to get through. You can then put your efforts into watching for any security notices related to these particular services.