Security Basics mailing list archives

RE: Firewall and DMZ topology

From: ed <ed () well com>
Date: 10 Jun 2003 22:58:41 +0100

This is true to an extent. However it is far more likely that someone
will use an exploit on the server in the DMZ than on the firewall its
self. For example:

Lets say you have a linux box running iptables with three NICs as your
firewall. Behind the firewall, in the DMZ you have a web-server running
apache or IIS. Behind the firewall in the 'secure' zone you have your
network (it makes little difference whats running on it).

Whats more likely? That someone finds an exploit to use againt you linux
box which isn't running any services and only forwards packets from one
interface to another (and perhaps runs an IDS also) or that someone will
use a guid 0 expoilt on apache. 

OK so now they own the box in the DMZ, big deal - the damage is
contained, from your DMZ they shouldn't be able to see the rest of the
network, at worst they might sniff the traffic to and from the DMZ, but
they own it anyway so its not as if the sniffed traffic will do them any
good.

Now lets take the two NIC example. If the DMZ is exploited they can now
sniff -all- the traffic between your network and the internet, which is
arguably more valuable than being able to access your network.

If your firewall is well configured then its unlikely to be the weak
point with which to access any part of your network, your DMZ however
is.

On Tue, 2003-06-10 at 19:40, Depp, Dennis M. wrote:

I'm not sure how a tri-homed firewall can be just as secure as a two
firewall setup.  Consider this:

Hacker is able to penetrate your firewall and "owns" the box.  In a
tri-homed firewall, they now have direct access to your internal
network.  If this had been a two firewall setup, they would have to
compromise the second box as well.  While this may not be an issue as
they were already sucessful in owning one firewall, hopefully you have
your intrusion detection system tuned to a greater degree of sensativity
in your DMZ.  And you will be able to discover this second attempt.

I do think tri-homed firewalls are a good solution, but they are not as
secure as a two firewall solution.

Dennis Depp


-----Original Message-----
From: Chris Berry [mailto:compjma () hotmail com] 
Sent: Tuesday, June 10, 2003 2:21 PM
To: security-basics () securityfocus com

From: "Des Ward" <des.ward () ntlworld com>
The second means that all traffic has to traverse your LAN

to get to the

'Unprotected' DMZ systems and also could leave your internal

LAN open to

attack.


My ASCII drawing didn't come out very well it was supposed to 
represent a 
tri-homed firewall, which, to the best of my knowledge is 
just as secure as 
a two firewall setup.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Gold is for the mistress - silver for the maid
Copper for the craftsman cunning in his trade.
"Good!" said the Baron, sitting in his hall
But steel - cold steel is master of them all." -- Rudyard Kipling

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail


--------------------------------------------------------------
-------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by 
top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure 
remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

--

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Firewall and DMZ topology, (continued)
- - - Re: Firewall and DMZ topology Steve Bremer (Jun 10)
  - Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
    - Message not available
    - Re: Firewall and DMZ topology Daniel B. Cid (Jun 10)
  - RE: Firewall and DMZ topology Des Ward (Jun 10)
    - Re: Firewall and DMZ topology Aaron Fisher (Jun 11)
  - Re: Firewall and DMZ topology Christopher Ingram (Jun 10)
- RE: Firewall and DMZ topology Chris Berry (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 10)
  - RE: Firewall and DMZ topology Steve Bremer (Jun 10)
  - RE: Firewall and DMZ topology ed (Jun 10)
- RE: Firewall and DMZ topology David Ellis (Jun 10)
- RE: Firewall and DMZ topology DeGennaro, Gregory (Jun 10)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 10)
  - RE: Firewall and DMZ topology Daniel B. Cid (Jun 10)
- Re: Firewall and DMZ topology Chris Berry (Jun 10)
  - Re: Firewall and DMZ topology Steve Bremer (Jun 11)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 11)
- RE: Firewall and DMZ topology Depp, Dennis M. (Jun 11)
- RE: Firewall and DMZ topology Morgado Alain (Jun 11)
  - Ang: RE: Firewall and DMZ topology marcus (Jun 11)

(Thread continues...)