Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall and DMZ topology

From: Christopher Ingram <cmi () crystalsands net>
Date: Mon, 09 Jun 2003 16:44:42 -0400
That would me more secure than some of the options presented, although the first firewall could reside on the DMZ. The point, however, is that even though the DMZ is isolated from the internal network (things like file sharing between workstations is protected) should the DMZ be compromised, all traffic moving between the internal network and the outside is sniffable. This includes e-mails, web site passwords, etc.
So, the below setup is not decent for a corporate LAN. Ideally, the DMZ should sit on a seperate connection to the Internet from the rest of the network, using a different ISP and therefore, different IP block. This provides the most isolation. 

So to recap, seperate uplinks is the best solution for security.
Splitting a single uplink with a hardware router is #2, as it is generally VERY difficult to compromise an SOHO hardware router in a way that would gain additional access to the internal network.
A single firewall + router with 3 NICs is #3, or #2 in a corporate setting. 

On Monday, June 9, 2003, at 04:11  PM, Erik Vincent wrote:


So according to your answer,
Internet | -->| Firewall |-->| DMZ |-->| Firewall |-->| Internal network 

Should be a more secure option.
Is it good enough for a corporate LAN?

Christopher Ingram wrote:



On Saturday, June 7, 2003, at 10:06  AM, William J. Burgos wrote:


Greetings list,
I would like to set up a SOHO network with a firewall and DMZ for mostly web serving and email. Of course, there are private PCs on the internal 
network, Windows and Linux.

My connection is a dynamic IP on a pppoe and I already have an old
laptop used as a simple firewall setup.

I am considering separating my web and email server to a dedicated
machine and placing it in a DMZ.

In searching on the web, I came up with a few topologies and I would
like to ask the list of their opinion.

I have sketched out a few scenarios below:

1. | Internet |-->| Firewall |-->| DMZ |-->| internal network |

This scenario (1) puts the DMZ between the firewall and internal
network. I have read that this is insecure as if the DMZ is compromised, 
so will be the internal network. Is this true?

2. | Internet |-->| Firewall |--->| internal network |
                  |          |--->| DMZ |

This scenario (2) uses three NIC's for the firewall. One for the
internal network, one for the DMZ and one for the Internet. I have read that this is a Three-legged firewall setup. The drawback is that I would 
need three NIC's for the firewall which is now a laptop with only two.

3. | Internet |-->| DMZ with Firewall |-->| internal network |

This scenario (3) places the DMZ with the firewall on one box and then
to the internal network. My concern is if I can secure the DMZ from the 
firewall on one box. Is there a way to secure this setup?

4. | Internet |-->| DMZ |-->| Firewall |-->| internal network |

This scenario (4) places the DMZ before the Firewall which leaves it
open to the Internet. Is there a way to secure this setup?

I am trying to avoid having to get another box with three NIC's for
Scenario 2, if possible. However, I would feel safer in a less easy to
break in setup.

Any comments or suggestions would be appreciated.

Thanks in advance.

William Burgos


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! 
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in 
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------



William,
I would strongly reccomend going with the 3 NIC setup. If not, you can always purchase a cheap hardware router and use clever allocation of your IP addresses. 

Internet -> Router -> DMZ
                   -> Firewall (NAT?) -> Workstations
Keep in mind that if you use any of the scenarios where the DMZ is inline with the firewall and your internal network, compromising one will yield easy access to the others. Well, at least the ability to sniff traffic between your internal network and the Internet or the DMZ. The point of a DMZ is to completely isolate it from the rest of your network. Using an inline setup makes expanding access in the even of a security breach easier. 


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! 
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in 
about an hour, with no client, server changes, or ongoing maintenance.
         Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------







---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in 
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: