Firewall Wizards mailing list archives

RE: DMZ best practices

From: "Andreas Haug" <ajh () this net>
Date: Wed, 20 Jan 1999 07:45:13 +0100


Someone, Bill_Royds () pch gc ca or John Kozubik (I'm not sure) wrote:

The segment behind a third NIC that carries servers that one runs but may
not trust (because they are open to public) could be called the
dirty segment. or server segment. Vendors call it the DMZ because early
firewalls with only 2 nics put servers on the true DMZ.


I strongly protest against calling firewalls (ALFs) with only two nics
"early firewalls". You can get away with calling non-multistaged firewalls
"early firewalls", but we would need to define the term multistaged firewall
first.

Relating to the whole 2-or-3-nics question, I would like to ask this group
of wizards for comments on the following:

Acronyms:

        IN      Internet
        Ex      Firewall Entity x
        CN      Corporate Network (protection needed)
        WS      Webserver
        X       some other "firewall" or not
        (other servers ommited)

Setup A:

      IN <----> E1 <----> E2 <-----> X <---> CN
                          !
                          WS


        The Web server is located on a "dirty" network


Setup B:

      IN <----> E1 <-+--> E2 <-----> X <---> CN
                     !
                     WS

        The Web server is located in the first DMZ

Consider this:

(1) I am trying to make the WS resist against attacks below layer 7 (land,
boink, teardrop, ...)
(1b) If (1) does not hold, there is a chance that the "new" attack works
against E2, too.
(2) E2 is not able to prevent every attack at layer 7 and above
(3) E2 is put at risk by the traffic flowing through it (buffer overflow in
proxy)

One does need a segment that allows servers to be protected by direct
attacks but would also be restricted in access to internal use.


How about: Compare the risk of loosing the web server to the risk of having
a firewall broken?

Regards,

andreas.
--
Work: http://www.helupie.de  haug () helupie de  phone +49 6081 9162-60 fax -80
Home: http://www.this.net    me () this net      phone +49 7127 9724-54 fax -54
Note: Views expressed above might not reflect those of the people who pay me

Current thread:

DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
  - Re: DMZ best practices Jeromie Jackson (Jan 19)
    - Re: DMZ best practices Amos Hayes (Jan 20)
  - Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
  - RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
  - Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
  - RE: DMZ best practices Andreas Haug (Jan 26)
- Re: RE: DMZ best practices Robert MACDONALD (Jan 21)
  - Re: RE: DMZ best practices Joseph S D Yao (Jan 26)
- RE: DMZ best practices Security (Jan 26)
  - RE: DMZ best practices Dominique Brezinski (Jan 26)
  - RE: DMZ best practices David LeBlanc (Jan 27)

(Thread continues...)