What is a DMZ and how do I build one?

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: danielrm26 PostPosted: Mon Apr 28, 2003 11:09 am    Post subject: What is a DMZ and how do I build one?
    ----
Eventually, if you get interested enough in Security, you are going to wonder what a DMZ is and why you should or should not have one. DMZ is an acronym that stands for De-Militarized Zone, and in the 'real' world it is the location between two hostile entities such as North and South Korea. In the Security community, however, it is a separate, untrusted network where boxes serving public services should be placed. It is a buffer zone between a completely untrusted network (like the Internet) and a relatively trusted network (like your private LAN). The primary reason for implementing a DMZ is to keep your public and private assets separated so that a compromise in the public area does not automatically result in a compromise of your private assets as well.

There are two main ways to implement a DMZ. The first is using three NICs, as follows:

1 NIC for the WAN (your gateway to the Internet; everything comes and goes through this NIC)
1 NIC for the LAN (behind this NIC is where you have all your private assets, i.e. file servers, domain controllers, questionable material collections, etc.)
1 NIC for the DMZ (this is where you put any machine that you want to allow people on the Internet to connect to, i.e. web servers, ftp servers, mail servers, game servers, etc.)

This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of both your DMZ and your LAN to lie in one system. If your machine that has all three of those NICs in it is compromised, so is your DMZ and your private network as well. Basically, you are allowing the Internet to 'touch' the very same machine that determines how secure your internal LAN is, and this is not a good thing.

The better way to do this is with three separate networks – the Internet, your DMZ, and your LAN. This is accomplished by using two firewalls – one on the border of your WAN (which handles your connection usually), and one on the border of your internal network. Let’s say that you have a broadband router (like a Netgear or Linksys) and a Linux-based firewall (like Astaro or Smoothwall). What you do is you put your router on your border (right behind your modem), and you connect the LAN side of that router to a hub or switch. To that hub or switch (your DMZ hub/switch) you use one of the ports to connect your bastion host/public server(s). This machine (or machines) run the services that you want people to be able to connect to from the outside. This may be a web site, an FTP server, or a multiplayer game like WCIII or Counterstrike. You want this machine to be hardened to some degree (preferably very well), meaning that it is completely patched and is not running anything that is vulnerable. As a general rule though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place. How to harden the servers you put in your DMZ is outside the scope of this article, but suffice it to say that you want to lock them down – no services running that don’t need to be, all updates applied, etc.

Now, to that same switch (the DMZ switch) you are going to attach another network cable that goes to your internal firewall (your Linux firewall). It is important to note that you want your strongest firewall closest to your LAN; or, putting it another way, you want your weakest firewall on your border. This may seem counterintuitive but it's usually the right way to do things. Basically, you want the most powerful and most configurable firewall protecting your LAN – not your DMZ. As for your internal firewall, it’s going to have two NICs in it – one for the DMZ side and one for the private LAN side. Connect the cable coming from your DMZ switch to the DMZ side of the internal firewall (the external interface), and on the other side of the firewall (the private LAN side) you connect a cable to another hub/switch that all of your LAN computers will connect to.

If that was confusing, think of it this way:

------------------------------------------------------------------
Internet -> Modem
Modem -> Router
Router -> DMZ Switch
DMZ Switch -> WEB/FTP/Game Server
DMZ Switch -> Firewall External NIC
Firewall Internal NIC -> LAN Switch
LAN Switch -> LAN Systems
------------------------------------------------------------------

So let’s take a look at the Security that is offered by this setup. At the border you have NAT translation going on that passes only the ports that you need to in order for the public to use the servers in your DMZ. Let’s say you are running a web server, an FTP server, and a game server for a game called FooAttack. On your border router/firewall you pass ports 80, 21, and 5347 (the FooAttack server port). All other attempted connections to your external IP address drop dead at your border; only those three ports passed above are allowed through because of NAT. The nature of NAT dictates that only return traffic (traffic is part of a connection that originated from the inside of the NAT device) will be allowed back into the NAT’d network. This side effect of NAT, while not its original or main goal, is a fairly powerful Security feature. If your border device supports filtering of any sort in addition to NAT then you can further lockdown your network by restricting who can and cannot connect to the hosts in your DMZ.

That first border layer, while being good, is just one piece of the overall DMZ Security posture. The real beauty of this setup lies in what happens if someone *does* get a hold of a machine in your DMZ. Imagine that you have the setup like I laid out above, but unbeknownst to you there is a major vulnerability in the web server you are running. So here you are offering web content to the entire Internet and someone runs the proper exploit vs. your machine and roots it. Now what?

Now nothing. Your second and more powerful firewall (the one that they are still *outside* of) – does not pass *any* traffic from the DMZ inside to the LAN. (In fact, you should have it where it won’t even answer ICMP requests from DMZ machines, so the odds are they won’t even know it’s there.) And now, rather than being able to bounce around on your juicy internal LAN like they planned, they are stuck in the middle of a completely untrusted and unprivileged network that doesn’t have anything on it other than what you intended for public viewing anyway.

This is a DMZ.

Even if they did know where the internal firewall was it wouldn’t even entertain the notion of passing connection attempts from the DMZ. This internal layer of protection is NAT'd just like your first layer, only there are no ports being passed inside like from the Internet to the DMZ. Your second firewall actually has no idea what to do with packets that are designed to initiate new connections with it, so it just drops them. The only traffic that is going to make it through that firewall is traffic that you specifically request be allowed through by talking to a machine outside of that firewall, i.e. when you go to /., it will allow the web content to come *back* to you so you can view the page, but if someone tries to initiate a new connection to you, they get dropped. Both NAT and SPI afford this protection to you, each in different ways.

So, to sum it all up, imagine someone is scanning around looking for web daemons to tear up and they find yours. Most inexperienced attackers would assume that you are running something on your public IP address, as if you have your main workstation is sitting right on the Internet and it is running a web daemon. So, they connect to it, get a web page, and then scurry to dig up their favorite HTTP exploit tool that someone else wrote. What they don't know is that they are actually connecting to a private IP in your DMZ. It has no ‘real’ IP address as far as the Internet is concerned. If you didn’t pass that port at the border device then they wouldn’t have seen anything at all with their scan. But let’s say they do see your web daemon because you are passing port 80 through to your DMZ host running a web site, and it turns out it has a vulnerability in it. They run their exploit and get root on your box. This causes them tremendous joy, and they hurry to tell all their buddies because they think they’re Alan Cox. The thing is, they have little to celebrate. All they have is a barebones server with nothing of value on it – no vital info, no browsing history, no personal information, nothing. In fact, all you have on there is content that you wanted the public to see in the first place (which is also safely backed up on your internal network and/or removable media). So, they have root on the machine and ping around in your DMZ and soon find that there isn't much there. If they are smart they will do an ifconfig (or ipconfig if you swing that way) and find out they are on a private subnet - but this gains them nothing. The odds are that from there they’ll either load some trash onto your system or try and destroy it. Either way, it doesn’t matter. The moment you detect what has happened (tripwire, puresecure, etc) you simply pull the plug, reinstall the box, and restore the backup. Within a few minutes you have a brand-new system ready to go back online, and at no point during the process was your private LAN in danger. This is the benefit of running a true DMZ.

-danielrm26

Author: effortlessLocation: grounded PostPosted: Mon Apr 28, 2003 11:48 am    Post subject:
    ----
The ultimate firewall. There is a point lost on many admins. I can hear the howls already but here goes nothing.

I instigated an audit of internet usage of a small company with DSL and 11 networked pcs and 2 macs. After 2 months it was found that of the thousand odd emails and the large number of hours of internet browsing only 40 e-mails were company relevant and there was no company relevance to the browsing apart from the boss gazing at his hosted website. The company is mainly cash based with local clients.

Where is the point of all the staff having internet access? Question Question

The network is now off the interenet and one machine not on the lan is used for all internet traffic. Personal e-mails and browsing are allowed but not very convenient. There has been an increase of productivity, if there is a problem with the internet pc it has no effect on the lan.

This may seem drastic but the company is not paying for bandwidth for the personal benefit of the staff. Twisted Evil

Author: AflackLocation: This Is Xtreme PostPosted: Sat Jun 14, 2003 7:30 am    Post subject:
    ----
Would it be to much trouble if you point me to our draw out this layout of the DMZ security settings. It would be a lot easier if I could picthure what was being mentioned above. Maybe this picthure would explain it? http://www.firewalls.com/images/document-dmz.jpg http://www.avantec.ch/pix/dmz.gif

Author: dot_rainLocation: Toronto PostPosted: Wed Jun 25, 2003 3:09 am    Post subject:
    ----
good job Aflack , thanks for sharing

Author: BhodiLocation: Netherlands PostPosted: Mon Dec 29, 2003 10:22 am    Post subject:
    ----
Is traffic coming from one of the boxes in the DMZ handled the same as traffic coming from the internet? I mean, is traffic from a compromised box in the DMZ zone more dangerous for the 'safe' part of the network then traffic coming from the internet?

Also, my router has a DMZ feature too, but I wonder if its the same situation as shown in the picture in the previous post.
Code:

                                            INTERNET
                                                |
                                          Router/firewall
                                             |       | 
                                           LAN      DMZ
                                           | |       |
                                          PC PC      PC
                                          1  2       3


Is a compromised pc3 in this situation a bigger treath for PC1 and PC2 then attacks from the internet?

Author: danielrm26 PostPosted: Mon Dec 29, 2003 12:38 pm    Post subject:
    ----
The amount of trust is reflected in the rulesets you put on your firewall. A DMZ is supposed to house your public machines so that if they get cracked they are isolated and not able to contact your private LAN. You do this via a rule that denies all incoming new connections from the DMZ to your private LAN (or to anywhere else, as mentioned above).

So the short answer is "no". To the firewall, the Internet and the DMZ are the same -- they are just OTHER networks. It sees no difference; the distinction is made via your ruleset. To your PCs on your private LAN, there is also no attention paid to where the attack was coming from with regard to the Internet or your DMZ. Remember, to it, everything comes from the default gateway (the inside of your firewall).

It's all about the ruleset on the firewall itself. That is what defines the security of your setup as far as the firewall is concerned.


Last edited by danielrm26 on Mon Dec 29, 2003 12:51 pm; edited 2 times in total

Author: Matt SLocation: Birmingham, England PostPosted: Mon Dec 29, 2003 12:39 pm    Post subject:
    ----
Bhodi wrote:
Is traffic coming from one of the boxes in the DMZ handled the same as traffic coming from the internet? I mean, is traffic from a compromised box in the DMZ zone more dangerous for the 'safe' part of the network then traffic coming from the internet?

All outgoing traffic from the DMZ to either the internet or the internal network should be blocked unless it is part of an incoming connection.
(eg. no outgoing packets with SYN set)

Matt. Stevens

Author: danielrm26 PostPosted: Mon Dec 29, 2003 12:44 pm    Post subject:
    ----
Aflack wrote:
Would it be to much trouble if you point me to our draw out this layout of the DMZ security settings. It would be a lot easier if I could picture what was being mentioned above.

This is a "sandwich" DMZ -- the one that I prefer, and the one that offers more security than the "multi-NIC" approach.


Author: BhodiLocation: Netherlands PostPosted: Mon Dec 29, 2003 1:53 pm    Post subject:
    ----
Well, my router basically just does that, it functions as a firewall and a hub together. I can set one pc up as DMZ. For all other pc's on the lan the firewall rules on the router are active. I DO have a firewall running on the seperate pc's but that's not really necessary since almost all ports are blocked on the router. I'm still configuring this to find the optimal situation. Start with closing everything and then open the seperate ports for each service I need. This will eventually leave a firewall configuration with just a few ports open. So no need to have a fancy hardware firewall, just one that can shut everything down and let you open the specific ports that are needed and almost all routers provide that.

Author: Sgt_BLocation: Chicago, IL US PostPosted: Mon Dec 29, 2003 4:46 pm    Post subject:
    ----
danielrm26 wrote:
This is a "sandwich" DMZ -- the one that I prefer, and the one that offers more security than the "multi-NIC" approach.

Could you explain how that DMZ topology offers "more security"? The multi-nic approach would be based on the same rulesets as the two firewall DMZ. So the same rules would be applied...just on different firewalls.
The only aspect where this would provide more security (to me anyway) would be if a firewall itself was compromised. A multi-nic firewall would provide the attacker access to eveything, while a two firewall DMZ (depending on which firewall got owned) could help lessen the impact.
Let's face it though....if you're allowing your firewall to get owned...then you've got other issues you need to worry about besides your DMZ setup. Smile

Author: danielrm26 PostPosted: Mon Dec 29, 2003 10:26 pm    Post subject:
    ----
Sgt_B wrote:
Could you explain how that DMZ topology offers "more security"? The multi-nic approach would be based on the same rulesets as the two firewall DMZ. So the same rules would be applied...just on different firewalls.
The only aspect where this would provide more security (to me anyway) would be if a firewall itself was compromised.
That's precisely the answer. If you have a firewall device doing multiple things and handling multiple networks, you have the (albeit very small) possibillty that it will be compromised.

By running the multiple firewalls rather than multiple NICs, you have multiple layers. Ideally (for the layering issue, not necessarily in general), you'd have as many different platforms in there as well, i.e. one's Check Point, one's OpenBSD and ipf, and the other is Linux/IPFILTER. This way, the key that got them through one layer doesn't get them through the next.

So, yes, it *is* more secure, but like you said, getting a firewall owned isn't supposed to be a common occurance, so the security "lost" by using the multi-NIC approach is minimal at best.

Author: danielrm26 PostPosted: Mon Dec 29, 2003 10:30 pm    Post subject:
    ----
Bhodi wrote:
Well, my router basically just does that, it functions as a firewall and a hub together. I can set one pc up as DMZ.
I don't suggest you use this feature or be lulled into thinking of it as a DMZ at all. It's not.

All that is is a default host for the NAT functionality of your router, and it's generally not a good idea to use if you need real security. If you want to do a DMZ, get another device and chain them together like the diagram I posted above.

Author: BhodiLocation: Netherlands PostPosted: Tue Dec 30, 2003 8:46 am    Post subject:
    ----
danielrm26 wrote:
All that is is a default host for the NAT functionality of your router, and it's generally not a good idea to use if you need real security.

Ah well, I don't need/use a DMZ anyway. I was just wondering how good some of the functionality on my router really was. I only use my router as a central internet connection point, dhcp server, some portforwarding and a basic firewall.

but thnx for the clearification Smile

Author: ZCorker PostPosted: Sun Jan 04, 2004 10:38 pm    Post subject: Will a DMZ stop SNORT ???
    ----
Will a DMZ stop the snort program? I found out about Snort for the first time while review something in Security Forums, but forgot where the link was. I would appreciate if someone would forward me the link. I think the link that I reviewed also led me to another program that was like Snort.

Zcorker
ICQ 118179171
<bd652(at)scn.org>
Wink

Author: alt.don PostPosted: Sun Jan 04, 2004 11:14 pm    Post subject:
    ----
A DMZ has nothing to do with Snort actually. DMZ is a topology while Snort is an intrusion detection system. I trust this clarifies. Also please give google a shot on some of these questions. Thanks! Very Happy

Author: yaoweihungLocation: Dallas, TX. PostPosted: Wed Jul 21, 2004 10:07 pm    Post subject: What to do in details
    ----
Thanks for the efforts you had put into this great document. I am planning to implement this into our network soon, but I have some questions about the details…

We are using Check Point NG to do the minimum protection on our internal network. There is no DMZ setup yet. What I plan to do is buy a Cisco PIX 506 and create a two firewall model. The Web server and Exchange server will be put into the DMZ. The SQL server and other servers will be protected behind the internal firewall.

The questions are:

1. Which Firewall product is more powerful, Check Point NG or Cisco PIX 506? I would like to know which Firewall I should setup as internal Firewall.

2. If I want to setup a VPN for remote management purpose, where this VPN server should goes and how to setup these two Firewall?

3. From your demonstration, you have both DMZ and internal Firewall connected to the e same hub/switch. Would it be better if I have dual NICs in all servers located inside DMZ? By doing this, I have my external Firewall connected to one subnet address (say, 192.168.1.xxx) and my internal Firewall connected to another subnet address (say, 192.168.2.xxx).

Again, I really appreciate your works in here.

Thanks in advanced.

Author: sigsegv PostPosted: Mon Aug 30, 2004 5:15 pm    Post subject:
    ----
Just wanted to extend my sincerest thanks to you for posting this extremely useful article. I'll really appreciate your info sharing attitude.
--sigsegv.

Author: danielrm26 PostPosted: Tue Aug 31, 2004 5:51 pm    Post subject: Re: What to do in details
    ----
yaoweihung wrote:
1. Which Firewall product is more powerful, Check Point NG or Cisco PIX 506? I would like to know which Firewall I should setup as internal Firewall.

2. If I want to setup a VPN for remote management purpose, where this VPN server should goes and how to setup these two Firewall?

3. From your demonstration, you have both DMZ and internal Firewall connected to the e same hub/switch. Would it be better if I have dual NICs in all servers located inside DMZ? By doing this, I have my external Firewall connected to one subnet address (say, 192.168.1.xxx) and my internal Firewall connected to another subnet address (say, 192.168.2.xxx).

I prefer Check Point, for your first question; I don't have a lot of exprience with PIX though, so I can't say it's bad. All I know is that the logging and therefore troubleshooting options on Check Point are far superior, in my opinion. As for features, I think Check Point wins there as well. All in all I think it's the better of the two, but I work with it every day and know not nearly as much about the PIX - so take that into account.

I'd suggest the simple solution of having your Internet-facing firewall be your VPN endpoint. I'd say that Check Point does this better as well, but staggering two vendors is better for security since getting past one doesn't easily lend to getting past the second. It's up to you which way you want to go with that.

As for your third question, I don't think having servers residing in both your protected and unprotected networks at the same time is a good idea. In general, if it's offered to the public directly it should go in the DMZ, and if it's a database server or internal mail server, it should either go in its own separate network off either another firewall or a port on the internal one, or it should go in your internal network. That decision is going to be based on the costs involved and how well you trust your internal users.

Hope this helps.

Author: sigsegv PostPosted: Wed Sep 01, 2004 5:09 pm    Post subject: design of an e-commerce n/w setup.
    ----
Hi Daniel,
I've a small question after reading your excellent article on building a DMZ. Please excuse me if this is too basic.
According to your configuration, all machines in the DMZ will not be allowed to make connections to the internal n/w by the inside f/w.
Consider the case of an e-commerce site that has a login page and where all credentials about the member, credit card numbers are stored in a database that is stored on the internal n/w. (I assume it should not be in the DMZ for obvious security reasons). Now one will have to allow connections from the app. server on the DMZ to the database server to fetch the credentials. In this case compromising the web server on the DMZ would prove to be disastrous. How does one go about preventing this? What should be an ideal n/w configuration when designing setting up and e-commerce setup? Thanks a zillion for your answers. --sigsegv.

Author: danielrm26 PostPosted: Wed Sep 01, 2004 7:49 pm    Post subject:
    ----
For an eCommerce setup, you want to have a separate network for your app and database servers, and a pinhole for ODBC/JDBC and or other application traffic will be poked in the firewall protecting that segment to allow for that connectivity (from the DMZ to that network). This should be a separate network from the internal LAN where corporate users reside, and ONLY the front ends for these backend systems should be allowed to communicate with them. Also, using IPSEC for this traffic is a decent and often-used solution.

Author: kantanLocation: London PostPosted: Wed Oct 27, 2004 8:58 am    Post subject:
    ----
What difference does it make if i directly connect my external firewall to the internal firewall rather than bypassing it via the DMZ hub / Switch.

rgds / Karthik

Author: danielrm26 PostPosted: Wed Oct 27, 2004 9:03 am    Post subject:
    ----
kantan wrote:
What difference does it make if i directly connect my external firewall to the internal firewall rather than bypassing it via the DMZ hub / Switch.
Well, the purpose of a DMZ is to put machines in it. If you are just stacking firewalls that's giving you a potential for increased security but it's not speaking to the concept of a DMZ.

Author: kantanLocation: London PostPosted: Thu Oct 28, 2004 12:38 pm    Post subject:
    ----
I think u'hv got my question wrong. The DMZ hub/switch exists and the respective servers that need to go in the DMZ are connected to the DMZ hub/switch. My concern now is... what happens if i connect the external firewall directly to the internal firewall rather than connecting it via the DMZ hub/switch. Does that compramise the security in anyway?

rgds / Kantan[/code]

Author: danielrm26 PostPosted: Fri Oct 29, 2004 6:32 pm    Post subject:
    ----
kantan wrote:
I think u'hv got my question wrong. The DMZ hub/switch exists and the respective servers that need to go in the DMZ are connected to the DMZ hub/switch. My concern now is... what happens if i connect the external firewall directly to the internal firewall rather than connecting it via the DMZ hub/switch. Does that compramise the security in anyway?[/code]

What you are describing is a network completely separate from your internal or external firewalls. It's not a DMZ if it doesn't lie between a less-trusted and more-trusted network. Think of calling Japan a DMZ between North and South Korea. It can't be because it's not between the two.

In short, if you plug the internal to the external directly, you have nothing in between, and therefore no potential for a DMZ.

Author: kantanLocation: London PostPosted: Tue Nov 02, 2004 8:16 am    Post subject:
    ----
I think that's answered my question mate. Thank you so very much for your help

Rgds / Kantan

Author: Colonel_Panic PostPosted: Tue Nov 16, 2004 4:04 pm    Post subject:
    ----
Very good article. Thanks.

I have a situation at work that worries me somewhat, but I appear to be the only one...
I'm running two servers that need to be accessible both from internal network and from internet. They are placed on DMZ, which is supposedly well configured.
Well, anyway what troubles me is that all data for these systems is stored on these same servers, kind of like the e-commerce situation mentioned earlier.
This data is not absolutely critical but there is some (non-financial) personal data and other stuff that should not be seen/altered by wrong people. I personally would prefer having databases inside secure network and access them with IPsec (as suggested in this thread) but the general policy seems to be to dump external, non-critical services outside (to DMZ) and let them be somebody elses problem (my problem in case of these two).

So, should I go and complain to someone or just accept the situation, trust the outer defences, do my best to secure the servers and pray?

Author: danielrm26 PostPosted: Tue Nov 16, 2004 4:13 pm    Post subject:
    ----
As a general rule, you shouldn't ever put any database in the DMZ. What you should try for is keeping your front end in there (assuming you can't build seperate networks for your front end, app servers, and databases) and then poke an IPSEC secured pinhole back into your private network for your odbc/jdbc connectivity.

Regards,

Author: Colonel_Panic PostPosted: Thu Nov 18, 2004 4:18 pm    Post subject:
    ----
I agree. But the upper level admins don't want to poke any extra holes in the firewalls and lack of spare servers is even bigger problem. It seems the systems I'm running are not considered very important Rolling Eyes

By the way, IF I could remove databases from DMZ, how could I solve this problem:

Users need to use INSERT, SELECT, UPDATE and even DELETE (in other words, php script access needs these priviledges). If it happened that the webserver got rooted, what would it help if the db was inside secure network? Whoever has the root can change my php and mess with the data. So, is there even theoretical possibility to secure the data agains someone who manages to hack the webserver?

Author: neewtLocation: Sweden PostPosted: Fri Nov 19, 2004 2:04 am    Post subject:
    ----
Colonel_Panic wrote:

Users need to use INSERT, SELECT, UPDATE and even DELETE (in other words, php script access needs these priviledges). If it happened that the webserver got rooted, what would it help if the db was inside secure network? Whoever has the root can change my php and mess with the data. So, is there even theoretical possibility to secure the data agains someone who manages to hack the webserver?


There has to be some sort of proxy that can do content filtering and therefor just allow valid traffic from DMZ to internal lan. In this case, certain SQL-commands. Anyone know of such an implementation?

Another thing. Say one would like to give access to, say consultants and other third-party staff, to the internal network. They have to have access to machines located inside the internal "protected" network, because it needs the entire enviroment that surrounds it (like databases, shares etc), and therefor cannot be putted in dmz. How would one implement such a solution..?

Author: danielrm26 PostPosted: Fri Nov 19, 2004 12:01 pm    Post subject:
    ----
Ideally, one would have a three tiered architecture for their web/app/db environment, and each would reside in their own network. Apache, Websphere, and Oracle, for example.

This could come in the form of three firewalls, but it's usually implemented with the multiple-NIC method. What this allows for is not only the isolation of the world from the database, but of the webserver from the database. So rather than have say IIS and Tomcat on one box talking to the database, you'll have Apache in the DMZ --> talking to Websphere in the app network --> talking to Oracle in the db network.

This offers additional protection vs. the direct attacks on the database from the webserver that resides in the DMZ, and I know of many top 10 companies that do just this. The coolest one does the entire thing in VMWare - Check Point boxes, servers, and all. Wink

In the basic example of webserver talking to database on the private network, you get some benefit, but not as much. As mentioned, the webserver still can speak to the database which still equates to bad news in the event of a webserver compromise. This, however, is still superior to the database sitting in the DMZ where any number of other attacks could possibly be leveled at it. Using IPSEC to communicate to said database just makes it difficult for an attacker with access to the network (but not your webserver) to glean anything from the communication.

It's about layers really, and seperating the webserver and database with a firewall is just one step. Beyond that you can seperate the app server from the webserver and put them all in seperate networks, use IPSEC to limit what holes need to be poked in the firewalls, etc. It just depends what your resources are.

Author: danielrm26 PostPosted: Fri Nov 19, 2004 12:14 pm    Post subject:
    ----
[quote="neewt"]
Colonel_Panic wrote:
Another thing. Say one would like to give access to, say consultants and other third-party staff, to the internal network. They have to have access to machines located inside the internal "protected" network, because it needs the entire enviroment that surrounds it (like databases, shares etc), and therefor cannot be putted in dmz. How would one implement such a solution..?
You'd determine exactly what needed to be accessed by them and find a way to host it seperately from your main assets. Then, you'd implement a strong, multi-factor authentication system for the VPN they use to get into that seperate network. So, you can only access a,b, or c if you are in group y.

Most high-security areas that I have seen and heard about have simple rules about vendors and contractors and free reign over the network -- it doesn't happen. Those users are either given extremely limited access to the real system, or they aren't given any access to the real thing at all.

If you are in a situation where you are being asked to give people full access to the critical data on your network (and you've already voiced your concerns), I'd take a strong look at how your data is protected in terms of access control. Is it all or nothing? Is it everyone read/write? NTFS? FAT? Are they Unix boxes? Figure out how control can be properly compartmentalized in an RBAC fashion, and look at doing as much of that as possible before allowing access. Then implement your VPN solution (using strong authentication) to ensure that each user is seeing exactly what (and only what) they should be.

Author: neewtLocation: Sweden PostPosted: Fri Nov 19, 2004 12:26 pm    Post subject:
    ----
danielrm26 wrote:
Ideally, one would have a three tiered architecture for their web/app/db environment, and each would reside in their own network. Apache, Websphere, and Oracle, for example.


This sounds like a good idea if the purpose is running, say the above mentioned E-comerce-thingy. If I take my problem (the need for external access to corporate computers on the private lan) and compares that with your three-tiered example, I would say the internal lan would be putted at the back, on its own segment. However, I you then want to give access to computers in this segment (thats equal to physical access, say citrix). This computer also needs to be able to access the database (in your example oracle). Isn't this a huge problem? It'll be like bypassing all layers of defense..

danielrm26 wrote:

This offers additional protection vs. the direct attacks on the database from the webserver that resides in the DMZ, and I know of many top 10 companies that do just this. The coolest one does the entire thing in VMWare - Check Point boxes, servers, and all. Wink


This sounds kinda neat, can you please describe the set-up a little further?

Thanks
Cheers Smile

Author: Colonel_Panic PostPosted: Fri Nov 19, 2004 4:11 pm    Post subject:
    ----
neewt wrote:


There has to be some sort of proxy that can do content filtering and therefor just allow valid traffic from DMZ to internal lan. In this case, certain SQL-commands. Anyone know of such an implementation?


Database and individual tables can be set to accept only certain commands, for example it is possible to set a rule that user connecting through TCP/IP socket can only use SELECT (create a user that is the only user that can connect remotely and give that user access to certain tables and certain commands only), but like I said I have to allow pretty much all commands...
Useless setting of course if db is on the same machine and somebody roots it.

In any case, the situation is that people in charge of internal network don't want to have ANY connection from DMZ and they don't want to give away additional server either Sad

I'll memorize this information for future. Maybe one day I get a change to implement something like this.

Author: gsnatesh PostPosted: Mon Jan 31, 2005 7:58 pm    Post subject: DMZ to intranet
    ----
Hi danielrm26,

I really appreciate your time and effort in writing this article. I'd like to setup a similar 2 firewall network. From what information I have learnt and gathered, I have made up my mind to setup the following as shown in the image http://www.avantec.ch/pix/dmz.gif

My understanding is, the web server in the DMZ will be in a seperate subnet with a default gateway of the ip address of the external firewall's internal NIC and the DNS server ip addresses are that of the ISP.

Question: How would a server on the DMZ communicate with the intranet assuming the DMZ and Intanet have different subnets?? Also the server(s) in DMZ have a default gateway of the ip address of the external firewall's internal NIC and the DNS server ip addresses are that of ISP.

I'm not sure if my assumption is correct. If not, please guide me how the data traffic would flow from DMZ to the intranet.

Thank you in advance.

Author: danielrm26 PostPosted: Mon Jan 31, 2005 8:08 pm    Post subject: Re: DMZ to intranet
    ----
gsnatesh wrote:
Question: How would a server on the DMZ communicate with the intranet assuming the DMZ and Intanet have different subnets??
Communication from within the LAN is often allowed to the DMZ, but the concept of the DMZ is for traffic originating from it not to be allowed into the more trusted networks, i.e. your LAN.

Remember though, if you are on the inside LAN, and you want to speak to a DMZ server, you can have a rule on the internal firewall that allows this. You don't need a separate rule allowing the return traffic back into the LAN; that's already taken care of.

Does this help, or did I miss the question?

Author: gsnatesh PostPosted: Mon Jan 31, 2005 8:31 pm    Post subject:
    ----
Thank you for your reply. I understand what you are saying. My question though could be better explained thsi way.

Lets say I have a web server in the DMZ. To give access to an interet user I'd allow port 80 to the web server in my extranal firewall. If the website application has to request some data from the database server (located in my LAN), then I'd have to allow a port in my internal firewall to access the db server. I'd be better off setting this communication using IPSEC as you mentioned earlier.


The web server has a different subnet from my LAN. The web server's NIC has a unique IP in the DMZ zone and a default gateway of the ip address of outer firewall's internal NIC. Also the DNS server ip address would be configured in the web server to have the ISP's DNS server.

If the web server has to resolve an IP or a name (ip/name of my db server which is in a diff subnet), won't the web server ask the default gateway(outer firewall's internal NIC) to resolve this - which would have no idea of what this address would be and would forward this request to the ISP's DNS server ?

How do I configure the webserver's NIC so that it could resolve a server name which is located in my internal lan??

Author: danielrm26 PostPosted: Mon Jan 31, 2005 11:31 pm    Post subject:
    ----
Unless there is just a whole lot of hosts, I'd probably just use a hosts file. Is that not an option?

Author: UnaBomberLocation: Amsteram, Netherlands PostPosted: Tue Feb 01, 2005 12:30 am    Post subject:
    ----
danielrm26 wrote:
Aflack wrote:
Would it be to much trouble if you point me to our draw out this layout of the DMZ security settings. It would be a lot easier if I could picture what was being mentioned above.

This is a "sandwich" DMZ -- the one that I prefer, and the one that offers more security than the "multi-NIC" approach.



Why would you use a hub here? A more secure method surely would be using a content switch, so you can put different services in different areas and create a more defined ACL structure... IE only allow DNS traffic to your DNS servers isolated within 1 subnet, only allow FTP to your FTP server subnet....

Anyway your diagram is good, this is a typical NOC setup, similar to the one we have!

edit: ahhh I see this thread isnt geared towards enterprise situations Confused

Author: danielrm26 PostPosted: Tue Feb 01, 2005 6:08 am    Post subject:
    ----
Not only that, but switch security isn't all that strong anyway. They can often be poisoned into becoming hubs relatively easily, and since having a hub allows me to deploy an IDS easier, i.e. without an expensive switch that has a mirror port, I prefer to go with a hub at home.

Author: UnaBomberLocation: Amsteram, Netherlands PostPosted: Wed Feb 02, 2005 4:14 pm    Post subject:
    ----
A content switch is a layer 3 and above switch, it is a router with using a fast switching process... I fail to understand how this can be posioned to become a Hub?

Cisco Switches are very difficult to flood, (I presume your are talking about mac flooding and arp poisioning) once you have deployed CIS (Cisco intergrated security) which limits the number of MAC addresses that can be learned at a given port... preventing CAM manupulation

here for more details

Author: danielrm26 PostPosted: Wed Feb 02, 2005 5:31 pm    Post subject:
    ----
UnaBomber wrote:
Cisco Switches are very difficult to flood, (I presume your are talking about mac flooding and arp poisioning) once you have deployed CIS (Cisco intergrated security) which limits the number of MAC addresses that can be learned at a given port... preventing CAM manupulation.

I see; I was not aware of this technology. Well, for a corporate environement this may well be an option.

Thanks for the info.

Author: Colonel_Panic PostPosted: Sat Feb 05, 2005 5:09 pm    Post subject:
    ----
I'm starting to get really annoyed by my superiors... not only I still have all the critical stuff on the servers in DMZ but I had a new issue: one of the two servers was getting lot of SSH root attemps so I asked why the external firewall is allowing that and they said "OK that's not how it is supposed to be, we'll plug the hole". That never happened and as the attemps increased, I asked again. "Oh, we forgot" was the reply and they STILL did not fix it. So I took the matter in my own hands and edited IP tables (on the server) myself, which is something I'm not very experienced in... Don't know if it's OK now but at least the root attemps seem to have stopped. Doesn't all this practically defy the whole purpose of DMZ? Evil or Very Mad I should be paid for all the security stuff I had to do when nobody else cares Evil or Very Mad
Am I supposed to pentest everything from home at my own time with no pay???

Author: danielrm26 PostPosted: Sat Feb 05, 2005 5:26 pm    Post subject:
    ----
For the technical part of your question, yes, it's best to limit outbound traffic from the DMZ to only traffic that is needed. Deny all, allow only a few things.

As for the politics, what you're seeing largely represents most companies. Most people just don't care about security until it's absolutely <b>forced</b> on them.

Being proactive like you have been will likely go unnoticed. All you can hope for is a manager that knows something about security but lacks the skills to do anything about it. People like this are likely to respect and value what you bring to the table.

Unfortunately, managers like this are very rare.

Good luck to you.

Author: progjm PostPosted: Sat Feb 05, 2005 7:16 pm    Post subject:
    ----
Well look at it this way. If something goes wrong then you are the first to get blamed, but if you keep everything locked down then they wont be there driving down your neck. So being unnoticed, or being blamed for everything?

Author: xathras PostPosted: Thu Feb 24, 2005 5:17 pm    Post subject:
    ----
is this post your own work or an extract from elsewhere, I have seen this before, not on this site but for the life of me cannot track it down.

Author: danielrm26 PostPosted: Thu Feb 24, 2005 5:29 pm    Post subject:
    ----
xathras wrote:
is this post your own work or an extract from elsewhere, I have seen this before, not on this site but for the life of me cannot track it down.

Yes, it's my work. You probably saw it on New Order, which is where I posted it first. You'll notice it was posted under "danielrm26" in both places. Google (http://www.google.com) can show you this information if you enter the string "danielrm26" and "DMZ" into the search field and either press "enter" or click the search button.

Regards,

Author: xathras PostPosted: Thu Feb 24, 2005 5:47 pm    Post subject:
    ----
danielrm26 wrote:
xathras wrote:
is this post your own work or an extract from elsewhere, I have seen this before, not on this site but for the life of me cannot track it down.

Yes, it's my work. You probably saw it on New Order, which is where I posted it first. You'll notice it was posted under "danielrm26" in both places. Google (http://www.google.com) can show you this information if you enter the string "danielrm26" and "DMZ" into the search field and either press "enter" or click the search button.

Regards,


lol, at least it shows that I paid attention to the info Wink

Author: danielrm26 PostPosted: Thu Feb 24, 2005 5:49 pm    Post subject:
    ----
xathras wrote:

lol, at least it shows that I paid attention to the info Wink

True. Smile

Author: Tudor Popescu PostPosted: Wed Apr 13, 2005 4:14 pm    Post subject:
    ----
Thank you kindly. This information is very useful for me. Great site! Thanks again! Smile

-------------------------------------------------------------------------------
http://www.neolink.ro

Author: aretasso PostPosted: Wed Aug 03, 2005 12:43 pm    Post subject: DMZ question
    ----
Can you use 2 Networkcards on 1 PC to set up one internal LAN and 1 DMZ, using server 2003?

Tnx

Author: AdamVLocation: Leeds, UK PostPosted: Wed Aug 03, 2005 2:16 pm    Post subject:
    ----
Sort of, but Windows 2003 on its own won't give you much intelligence for managing traffic between the cards. You really need an application on top such as ISA or a third party firewall.

Author: aretasso PostPosted: Wed Aug 03, 2005 3:49 pm    Post subject:
    ----
would I have to bridge those two cards in order to install a firewall, and which firewall is any good?

Tnx

Author: systemonkey PostPosted: Thu Mar 02, 2006 4:10 am    Post subject: Re: What is a DMZ and how do I build one?
    ----
Thank you for your excellent article. It was great read.
But I have question regarding a firewall/router with DMZ host. But not in the sense of system with three NIC cards but the actual router device. Is this safer than having a server functioning as a router?

For instance,

Internet -> Firewall/VPN router (Netgear, Linksys) -> DMZ
Internet->Firewall/VPN router->Internal LAN

Since most small businesses tends to have this type of network, what are there chances of being hacked?

Author: juba PostPosted: Tue Oct 27, 2009 9:01 pm    Post subject:
    ----
Thank You... very Much Very Happy

Can give me some example plz....?? Embarassed



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group