Security Basics mailing list archives
RE: DMZ - Question
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Fri, 26 Oct 2007 12:41:35 -0700
Pablo, There shouldn't be a need to NAT traffic between the DMZ and private network. You should only need to NAT at the internet perimeter. But that depends on the IP ranges you're using too. I concur with Ansgar that connections from DMZ hosts to private network hosts are to be discouraged. But it's advice that is sometimes not possible to strictly follow. Your mail server is a perfect example. How else to receive internet mail? Layer 8 restrictions may apply too. But where possible, put those private network hosts that need to receive connections from DMZ boxes into another DMZ layer - as below. Then control what connections (if any) are allowed from DMZ1 hosts into the private nets. A connection should have to pass through multiple layers of control before reaching anything of value. Private ----FW---switch---FW---Internets nets | | | router DMZ1 | DMZ2 There are a lot of variables, but the general goals should guide you. Control and audit that traffic, even if you can't perfectly restrict it. And create as many distinct layers as needed to define and segregate different security domains. Use DMZ1 for less-critical servers. Another DMZ can be created for high-value servers (payroll, customer data, etc). The private nets can then be reserved for users. But be careful - it gets very complicated, very quickly. Firewall rulesets get very long too, and mistakes become more likely. One issue to be aware of has to do with default routes on DMZ hosts. As you've presented it, the DMZ has two routes. In that config, either (1) each DMZ host has a static route table for all private nets, or (2) you rely on ICMP redirect packets for half your traffic. That's why I included a router above. In my environment, there are too many DMZ hosts, and too many private nets in too many diverse ranges that change too frequently, to efficiently and accurately manage static route tables on every DMZ host. Also, firewalls don't always like sending ICMP redirects. YMMV. As above, the two firewalls and one router interface are on one IP network. The second router interface and all DMZ hosts are on another. Each DMZ host has a single default route (the router), and the router determines which way a packet should go. It can participate in dynamic route updates of your preferred flavor, or you can maintain static routes there. Finally, be aware that management doesn't always buy into the two-vendor idea. Two different acquisition sources, and two different maintenance contracts to manage. And the administrator needs to fully understand two different FW implementations. Here, it didn't fly, regardless the obvious security advantages. Good luck, - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of hol64 () hotmail com Sent: Friday, October 26, 2007 8:41 AM To: security-basics () securityfocus com Subject: DMZ - Question I have to setup a DMZ on our network. Our current layout is Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the topology would be like this.. Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router. On the DMZ we will have a Web Server that needs access back to the Mainframe on the LAN, and a Mail server that need access to another mail server on the LAN. One of my questions is the DMZ is in a /24 subnet and the LAN is on a /16 subnet. Is the only way for the web server in the DMZ to communicate with the inside LAN by NATting in the FW-2. Isn't this creating a double subnet from the outside?? I am working with 2 pix firewalls, and I am hoping to change FW-2 to a different brand that has stateful inspection. Please Advice, Thanks, Pablo
Current thread:
- DMZ - Question hol64 (Oct 26)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 26)
- Re: DMZ - Question Daniel Anderson (Oct 29)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 29)
- Message not available
- Message not available
- Re: DMZ - Question kevin fielder (Oct 31)
- Re: DMZ - Question Daniel Anderson (Oct 29)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 26)
- <Possible follow-ups>
- Re: Re: DMZ - Question hol64 (Oct 26)
- Re: DMZ - Question Ansgar -59cobalt- Wiechers (Oct 29)