Hey
@Austin, this is a great point to discuss. My 2cents: The traditional function of the DMZ was to take a group of devices and allow them some exposure from public untrusted networks, while at the same time limiting access/exposure to secure private networks. Tenancy could certainly allow for an equivalent functionality.
First step would be to segment the DMZ devices. That is, separate them at layer2 from the other secure networks. You might do this by placing them on separate VLANs, or even a separate switch altogether. In any case, you wouldn't want them sharing a broadcast domain with your other devices.
Once your DMZ devices are segmented, the next thing would be to get them a new gateway interface on your 128T. Say you already had a 128T device-interface connected to your switch, and you had put the DMZ on a separate VLAN. In that case you could just trunk that VLAN on the existing device-interface, and set up the new network-interface (with appropriate VLAN) in your 128T config. If you had the DMZ devices on a separate switch, or you just wanted to use separate ports, you could set up a new device-interface along with the new network-interface. Note, this assumes 128T is the gateway for each LAN, and there are no other routers/firewalls between your endpoints and 128T. If there are downstream routers/fw's you may not need a new device-interface/network-interface at all.
With the devices segmented at L2 and routed through 128T interfaces, then it is just a matter of applying separate tenancy to the endpoints. For example, you may have a "trusted-lan" tenancy applied to your private network endpoints, and a "dmz" tenancy applied to your DMZ endpoints. With this you can choose to not allow, or selectively allow access to your private services (i.e. those which route to your private LAN endpoints).
As for services which are hosted by the endpoints in the DMZ networks. Often times those services would be considered a public service in the 128T data model. In other words if a session arrives on an interface and matches no tenant (as is common with a WAN interface), it is said to have come from the public or global tenant. So for a traditional DMZ based service, you'd make a service with an address matching your site's WAN IP address, and a specific port, and set it to be a public service. Then you'd service-route that service to endpoints in your DMZ LAN network, perhaps applying a destination NAT or NAPT.
Note that creating a public service does not inherently give access to the rest of your tenants. If your "trusted-lan" tenant endpoints also needed to access the service, you'd want to add them in an access policy on the service.
Hopefully this makes sense. Later I can gen up some diagrams and config samples to better demonstrate. Would be curious of other thoughts and experience on this topic as well.
------------------------------
- Reid
------------------------------
Original Message:
Sent: 11-27-2018 14:23
From: Austin Stoffel
Subject: What is the proper way to setup a DMZ on my 128T
I'd like to start a discussion about how to create a DMZ with 128T.
Am I able to create a new LAN subnet by adding a Network Interface to my current LAN Device Interface? Then keep the subnets separate by using VLANs?
------------------------------
Austin Stoffel
Systems Administrator
------------------------------