Re: DMZ best practices

[Bennett Todd <bet () mordor net>]

1999-01-14-20:54:37 Perry, David:
> Some firewall implementations allow for an additional interface to be
> used as a DMZ.  Does implementing a DMZ from additional firewall
> interfaces constitute a best practice?  

Your use of the phrase "best practice" makes it sound like you are looking for
the kind of accepted practices that rule other disciplines like e.g.
accounting. I'm sure once computer security has been around for a few
millenia, like accounting has, there will be useful guidelines for GASP
(Generally Accepted Security Practices:-).

But for the time being, with the problem set and the solution set both
mutating out of recognizability on a timescale of months or weeks, the best
you can hope for is an informed analysis of each individual case.

Regarding the specific question asked, the answer will depend on details not
yet specified. So far I've been able to build my DMZ servers on nice secure
OSes --- OSes for which it's very easy to strip or filter all unwanted
higher-level services and audit to confirm that it's doing what you told it,
and for which there are active developer communities maintaining the low-level
IP code and so keeping up to date with the steady rain of new low-level
attacks. Thus my DMZ hosts are no weaker than the firewall bastion host
itself, and so I put the DMZ outside of the bastion --- accessible to the
internet directly through the external screening router, which just imposes
anti-IPaddr-spoofing rules and port screening.

If on the other hand you had some mandate to place a public server on some
poor OS that can't defend itself, then rigging it off a separate interface
from your bastion host firewall may well be a good idea.

-Bennett