Re: DMZ best practices

[Dominique Brezinski <dom_brezinski () securecomputing com>]

At 04:03 PM 1/16/99 -0800, John Kozubik wrote:
> Now, what kind of machines would you put in the DMZ?  Not many, in my 
> opinion.  Mail, news, www, etc. should _always_ be behind a firewall 
> with a security policy in place.  Now maybe your firewall (as stated 
> above) calls an area with a less stringent security policy a DMZ - if 
> they do, fine.  Whatever you call it, don't put these critical machines 
> _outside_ the firewall.  As of this writing, the only machine I can 
> think of that belongs outside of the firewall is a data collection 
> machine for intrusion detection - and it forwards that data to an 
> analysis machine _behind_ the firewall.

Wow, Mr. Kozubik's comments on secure network and firewall architecture go
against every credible reference on the subject.  Placing a publicly
accessible webserver or mail host inside the firewall is about as sure a
way of getting your internal network compromised as any.  By allowing
inbound connections to pass through the firewall to internal servers, you
are opening up your internal network to attack as soon as a vulnerability
is discovered in one of the internal servers.  The firewall is then useless
in trying to minimize the scope of the compromise (what firewalls where
designed to do).  Firewalls are meant to minimize the nexus points between
the (untrusted) public and the internal network(s). The reason "protected"
DMZs became a firewall feature is to help do just that.

Protected DMZs, implemented as a third or forth interface on the firewall,
are meant to provide some protection to publicly accessible hosts while
also providing very controlled access between the publicly accessible hosts
and the internal network.  Yes, there are performance penalties associated
with having the firewall do this work, but the architectural and management
benefits can far outweigh those in some cases.  I thought this was all
obvious stuff, but in the case it is not go read the Chapman and Zwicky or
Cheswick and Bellovin books.

Also, the comment on having ID sensors outside the firewall is also equally
flawed.  The fact is very few organizations (with intelligence agencies and
military branches being the exceptions) have the resources, time, or need
to know who is unsuccessfully attacking them.  IDS is useful to most
organizations in determining if their firewall (or other perimeter defense)
is not stopping attacks or if their employees or other insiders are
engaging in harmful activities.  Both these cases call for the ID sensors
being located inside the firewall.  I have yet to see a company that has a
counter-intelligence group with enough resources to do analysis and
response of failed external intrusion and information gathering attempts.
Maybe in five years the management of commercial organizations will see the
benefits of doing such activities, but currently the general understanding
of the threat potential does not lead management to allocate resources for
such activities.

I would be interested in private responses if anybody can point me to
verifiable instances where commercial organizations are indeed conducting
such extensive counter-intelligence successfully.  It would benefit me
greatly in some current research I am doing.  Also, if anybody can provide
verifiable cases where information warfare has been used by sub-national or
non-state (potential terrorists) groups to further some cause other than
financial gain (ruling out standard criminal activity), it would also be of
tremendous value to me.  I will be happy to summarize any findings for the
list.

Dominique Brezinski CISSP                   (206) 898-8254
Secure Computing        http://www.securecomputing.com