Firewall Wizards mailing list archives
Re: DMZ best practices
From: Dominique Brezinski <dom_brezinski () securecomputing com>
Date: Mon, 18 Jan 1999 15:43:20 -0800
At 04:03 PM 1/16/99 -0800, John Kozubik wrote:
Now, what kind of machines would you put in the DMZ? Not many, in my opinion. Mail, news, www, etc. should _always_ be behind a firewall with a security policy in place. Now maybe your firewall (as stated above) calls an area with a less stringent security policy a DMZ - if they do, fine. Whatever you call it, don't put these critical machines _outside_ the firewall. As of this writing, the only machine I can think of that belongs outside of the firewall is a data collection machine for intrusion detection - and it forwards that data to an analysis machine _behind_ the firewall.
Wow, Mr. Kozubik's comments on secure network and firewall architecture go against every credible reference on the subject. Placing a publicly accessible webserver or mail host inside the firewall is about as sure a way of getting your internal network compromised as any. By allowing inbound connections to pass through the firewall to internal servers, you are opening up your internal network to attack as soon as a vulnerability is discovered in one of the internal servers. The firewall is then useless in trying to minimize the scope of the compromise (what firewalls where designed to do). Firewalls are meant to minimize the nexus points between the (untrusted) public and the internal network(s). The reason "protected" DMZs became a firewall feature is to help do just that. Protected DMZs, implemented as a third or forth interface on the firewall, are meant to provide some protection to publicly accessible hosts while also providing very controlled access between the publicly accessible hosts and the internal network. Yes, there are performance penalties associated with having the firewall do this work, but the architectural and management benefits can far outweigh those in some cases. I thought this was all obvious stuff, but in the case it is not go read the Chapman and Zwicky or Cheswick and Bellovin books. Also, the comment on having ID sensors outside the firewall is also equally flawed. The fact is very few organizations (with intelligence agencies and military branches being the exceptions) have the resources, time, or need to know who is unsuccessfully attacking them. IDS is useful to most organizations in determining if their firewall (or other perimeter defense) is not stopping attacks or if their employees or other insiders are engaging in harmful activities. Both these cases call for the ID sensors being located inside the firewall. I have yet to see a company that has a counter-intelligence group with enough resources to do analysis and response of failed external intrusion and information gathering attempts. Maybe in five years the management of commercial organizations will see the benefits of doing such activities, but currently the general understanding of the threat potential does not lead management to allocate resources for such activities. I would be interested in private responses if anybody can point me to verifiable instances where commercial organizations are indeed conducting such extensive counter-intelligence successfully. It would benefit me greatly in some current research I am doing. Also, if anybody can provide verifiable cases where information warfare has been used by sub-national or non-state (potential terrorists) groups to further some cause other than financial gain (ruling out standard criminal activity), it would also be of tremendous value to me. I will be happy to summarize any findings for the list. Dominique Brezinski CISSP (206) 898-8254 Secure Computing http://www.securecomputing.com
Current thread:
- DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Amos Hayes (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
- RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)
- Re: RE: DMZ best practices Joseph S D Yao (Jan 26)
- RE: DMZ best practices Security (Jan 26)
(Thread continues...)