Security Basics mailing list archives
RE: Extending the DMZ
From: "Prodigi Child" <prodigi.child () gmail com>
Date: Thu, 16 Oct 2008 13:45:13 -0500
You are correct - this is absolutely a bad idea. If you have to worry about regulatory compliance this can be a deal-breaker for an auditor, depending on what standard you need to comply with and what data is on the server. Speaking of which, what kind of server is it? If it is a web server or something simple like that then you can feasibly reverse proxy it through a DMZ server, using something like ISA server. So, check your rules & regulations and see if you can deny this change based on those, and if you can't then try to find another way to make it accessible. Bottom line - if that server gets compromised and it is on the same subnet as your other production servers, that is MANY times worse than if a DMZ server gets compromised, because the attacker may need to now turn his/her attention on a second attack (this time targeting the internal servers). In addition, there are well-documented VLAN-hopping attacks that you would now need to protect against. In addition, you should probably work to ensure that you (information security) is included even in the planning stages of new servers/applications/etc. Too many times I have seen InfoSec playing "catch-up" when it's too late to make any meaningful changes to a new production system. Mike -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of CORP John Porter Sent: Wednesday, October 15, 2008 9:58 AM To: security-basics () securityfocus com Subject: Extending the DMZ We have an ASA with a separate interface for the DMZ. Connected to that interface is a layer 2 switch, and then the DMZ servers. The Windows guys, working with Application development, have created a new server, in a blade center. The blade center has a layer 3 switch built in, which is connected to our core switch with a 4 port Etherchannel. Now they want the server they built made available on the internet. I have told them that the server must be moved to the DMZ, but they are reluctant to do that because they already built it on an internal Blade Server. They want me to create a VLAN on the layer 3 switch and connect 1 port from the layer 3 switch to the layer 2 DMZ switch, so the server will be available on the DMZ. This seems like a very bad idea to me: - Someone can mis-configure the server and end up with it acting as a router to pass traffic between the DMZ and inside network - The layer 3 switch is going to route traffic between the new VLAN and the inside network - Even if I manage to lock things down so that it works, there may be other problems/exploits that make this a bad idea. Am I just being paranoid, or is this definitely a bad idea?
Current thread:
- Extending the DMZ CORP John Porter (Oct 16)
- RE: Extending the DMZ Prodigi Child (Oct 16)
- Re: Extending the DMZ Michael Condon (Oct 16)
- RE: Extending the DMZ David Gillett (Oct 17)
- Re: Extending the DMZ Gleb Paharenko (Oct 17)