Re: DMZ Design and Functionality

[Schneider Sebastian <ses () straightliners de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all folks ;-)

I guess I didn't get your set up quite right. Actually a DMZ is placed between 
the Internet and your local network. So I assume you're all talking about 
screened subnets. There are different designs depending on the traffic volume 
you currently observe or that will occure respectively.

In general, if you're quite familiar with RedHat you should stick to that one 
for your two new hosts. Second, when running a firewall you should know which 
one you're about to implement, since there are several types: packet filters, 
stateful firewalls and proxy firewalls. Packet filtering/stateful firewalls 
can be implemented using the open source iptables/netfilter ( 
http://iptables.org/ ). Proxy firewalls can be implemented transparently to 
the user and provide the advantage of inspecting the payload of packets sent 
thru/to your network. In the latter case, you have to check your Security 
Policy and regional/national laws regarding data protection/privacy.

It's kind of hard to measure the hardware requirements for they depend on 
different criteria as inbound/outbound traffic, mails processed, broadcasts, 
anti-virus / firewalling software running. You should also take account of 
planning the requirements regarding future increase expected.

Placing a spam filter like SpamAssasin and a virus mail filter on the same 
machine usually is no problem, depending on the machine running these.
A client of us experiences about 7,000 mails inbound a day AV/UCE-filtered by 
one host based on a P4 1.8 GHz processor (IBM xSeries 330). Even at peaks, 
there is no noticeable delay processing the messages.

Why is it, you're going to place the hardware firewall second tier? Commonly 
they are tuned to process large amounts of traffic and applying the rules set 
up. You might use it to diburden your main firewall.
Are there any other hosts which have to be made availabe to the public? Do 
they experience high traffic?

There are three ways to design your network. The first is applying one 
firewall behind every Internet/WAN connection. One NIC is handling traffic 
from/to the remote network, one NIC to your screened network and a third to 
your local network.
The second is inlining firewalls, one behind another. That is placing one 
firewall behind your Internet/WAN connection, then your public servers, 
second firewall and after all your local network. This set up has the 
advantage of applying different access control restrictions to different 
security zones/subnets - the closer the subnet to the Internet the less the 
security level. Setups like that are not that odd as it sounds but hard to 
troubleshoot, however.
The third design is placing two firewalls equidistant from the the Internet, 
One application gateway to your public services and one firewall to your 
corporate network.
Those considerations depend on your current design, business needs and 
services you want to offer as well as your Security Policy.
 
I guess you prefer the first one maintaining a local network and a screened 
subnet. Usually screened subnets don't really power down the overall 
performance. You should place your mail filter (AV/UCE) into the screened 
subnet working as a mail relay (as known as front-end mailer). Inbound 
messages will get forwarded to your internal mail server and outbound to your 
mail filter in the screened subnet. Dropped messages - recognized as spam or 
virus-containing - should be stored to a "special" account, since some users 
might scream up because of mails missing.

VPNs are kind of hard to choose, since there are several solutions. If you 
prefer IPSec based VPN connections, please notice not all protocol options 
are capable traversing NAT gates. IPSec with ESP in tunnel mode should work 
out as well as AH in transport mode.
There are different points to keep track of. Are there a lot of teleworkers / 
mobile users / business partners? Which key configuration are you up to? Is 
the device decrypting the enciphered traffic placed behind or before your 
firewall? What is stated in your SecPol?
Pre-shared keys are easily to maintain, since everyone is using the same, but 
it's like giving them all a password. Using certificates is easy in 
administration, since digital certificates are assigned seperately on a 
connection-by-connection basis. But a bit more complicated to set up, since 
PKI is commonly used in those environments.

More about IPSec can be found at http://www.freeswan.org/ , 
http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html , 
http://www.freeswan.ca/docs/freeswan-1.5/doc/links.ipsec.html#opensource .

As Chris pointed out, the border firewall as well as VPN endpoint can be 
implemented using a small hardware appliance like a Cisco device. This 
depends as well if you're poviding RAS services. Building up VPNs with Cisco 
is pretty cool and (almost) kind of easy.

You should also make up your mind, if IDS sensors are going to be placed on 
your network. That has also an impact on how to design what.

If you have further questions, feel free to e-mail or giving a buzz.

- -- 
straightLiners IT Consulting & Services
Sebastian Schneider
Metzer Str. 12
13595 Berlin
Germany

Phone: +49-30-3510-6168
Fax: +49-30-3510-6169


Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.

This E-Mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this E-Mail
in error please notify the sender immediately and destroy this E-Mail.
Any unauthorized copying, disclosure or distribution of the material
in this E-Mail is strictly forbidden.




On Tuesday 19 August 2003 09:21, Meidinger Chris wrote:
> Hi Dana,
>
> i agree with David that it's a pretty advanced approach, but assuming you
> have no time pressure, it's a sound infrastructure. Just be sure you don't
> promise anyone when it will be in production.
>
> One thing i would change in your place is i would put both the firewall and
> the proxy/mail on the same operating system. It will be enough
> administration if you have two new *nix boxes (assuming your background is
> not unix) without you having to keep up on patches/updates/administration
> for two operating systems.
>
> How you size the firewall machine depends on the width of your internet
> connection. What kind of a connection do you have? Now, if your firewall is
> going to be fairly simple, you might even want to look into an inexpensive
> hardware firewall. Assuming it would cost you say 2500$ (maybe a low
> estimate) for a BSD machine that you would have to administer constantly,
> you could already get a (smallish) hardware firewall for that money.
>
> Sizing the proxy/mail machine will also depend on your web/mail traffic. We
> have no idea how big your site is/what connextion you have/how much mail
> traffic you have.
>
> If you want to do a serious VPN solution, then a hardware firewall instead
> of the BSD machine makes even more sense. If you can get your company to
> spring for it, get a CheckPoint FireWall-1 on Nokia with VPN-1. These
> things can all be done in software on a self-installed OS, but if you are
> alone setting everything up, a hardware solution will be to your advantage
> in terms of time and manageability.
>
> I hope i answered all your questions. If i was wrong on any point, then
> list, please let me know.
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Original Message-----
> From: Dana Rawson [mailto:absolutezero273c () nzoomail com]
> Sent: Monday, August 18, 2003 9:53 PM
> To: security-basics () securityfocus com
> Subject: DMZ Design and Functionality
>
>
>
>
> Forgive me if these questions are too basic but I am relatively new to
> this.  I am the network administrator at my company and over the past year
> have become aware of a need for increased security.  I have been reading
> posts here in hopes of learning more about this.  While I have learned
> considerable amounts, and have searched for answers elsewhere, I am still
> in need of guidance.  Any help or direction would be greatly appreciated.
> I am open to reading any books that one might recommend.  I have seen a
> few books out there but not sure which are worthwhile.
>
> Anyway, my background information is this:
> I wanted to install a DMZ at 2 of my company's locations.  I do have a
> limited budget so I was planning on using OpenBSD for my first tier
> firewall.  I do have a hardware based firewall in place currently which I
> was planning on using as my second tier firewall.
> My initial plan is to build a machine using OpenBSD that does nothing but
> firewall.  Additionally, I wanted to add another machine to run
> Sendmail/SpamAssassin and an an anti-virus software.  On this I was hoping
> to run Redhat as this is what I am most knowledgeable on.  My thought
> behind this was to block spam, of course, and also run a gateway anti-
> virus solution that would block viruses coming from websites and
> employee's personal e-mail accounts.  This due to the fact that I have
> seen a number of viruses coming in from either their 'webmail' or through
> their Outlook Express. I wish to set up an ftp server and webserver to
> facilitate OWA.  Additionally I would like to make available VPNs and
> encrypt all data transmitted over remote connections.  Remote connections
> may consist of a MS RAS and Citrix.
>
> With this information my questions are:
>
> 1. To begin, does this sound like an acceptable solution?
> 2. How do I size the machine that I am going to run OpenBSD?  I have read
> that a DMZ will slow performance down some.  If I have a fast enough
> machine will it aid performance?  At what point is overkill when running
> OpenBSD.
> 3. How do I size the machine that will be running Redhat, Sendmail and
> SpamAssassin?  Is this configuration acceptable?  Should the Anti-virus
> software be running on a separate machine?
> 4. What open source options to I have for encryption and VPNs?
> 5. Are there any potential problems running this configuration?  Does
> everything mentioned here play nice together?  Would you change anything
> here and if so why?
>
> Many thanks in advance.
>
> Dana
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> -
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> -


Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder
diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.

This E-Mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this E-Mail
in error please notify the sender immediately and destroy this E-Mail.
Any unauthorized copying, disclosure or distribution of the material
in this E-Mail is strictly forbidden.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/RAhSQ7mOWZBxbPcRAgO3AKCqoT6LWpK+CF+Kfo35inS7sp4M6ACglEYG
6eQ353TtUWlaMjwUtIf3Rb4=
=oUjQ
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------