Security Basics mailing list archives
Re: Question about dmz security
From: abretten () kroger com
Date: Fri, 14 Feb 2003 19:00:12 -0500
Jennifer, you are exactly right to be concerned. When someone uses a dual homed host to bridge a firewall, they are creating a huge potential security hole....the first time a hacker exploits the ftp server, they have free access to your entire internal network through that internal NIC on the ftp server. What people would consider the "best" or to put it a better way, the "industry" standard way......you would have one NIC on the ftp server, and place it on the DMZ. If you are a small company and all you have is a firewall with two NICs and a router connected to the Internet, I would recommend placing some ACL's on the Internet router to protect the ftp server from common attacks (for example deny all the obvious ports like telnet and echo and chargen). The next step is to lock down the ftp server..........if all its doing is ftp.......turn off all those "helpful" services that most OS's turn on by default...... If you have a little more resources a good design is build a firewall with three NIC's........the outside is the DMZ, the inside is the inside, and the 3rd NIC is referred to as a protected service network/screened subnet. If you have more resources then you can follow a suspender and belts design.........two firewalls one front of the other....the DMZ is at the top, then a firewall, then the service network, the second firewall and then your internal network. Hope this helps a little bit. I've barely scratched the surface of all the things you can do to build a secure infrastructure. if you haven't had chance to attend a class, every basic network security course I've seen would cover what I've discussed. Andy Bretten "Jennifer Fountain" To: <security-basics () securityfocus com> <JFountain@rbinc. cc: com> Subject: Question about dmz security 02/14/2003 02:42 PM I need an opinion on a current design implementation in place. We have an ftp server sitting in our dmz. This box has two nics - one is plugged into the dmz hub and one is plugged into our network. I think this is a security risk and we should just allow internal users access to the box via the firewall by opening the port instead of having dual nics. they do not see a security risk. maybe i am just too new at this and need some education. what is the "best" way to implement this configuration? Thank you Jenn Fountain
Current thread:
- RE: Question about dmz security, (continued)
- RE: Question about dmz security Michael Cunningham (Feb 17)
- RE: Question about dmz security Burton M. Strauss III (Feb 17)
- Re: Question about dmz security Chuck Swiger (Feb 17)
- Re: Question about dmz security mlh (Feb 18)
- Re: Question about dmz security Chuck Swiger (Feb 19)
- Re: Question about dmz security mlh (Feb 18)
- RE: Question about dmz security David Gillett (Feb 19)
- Re: Question about dmz security Chris Berry (Feb 17)
- Question about dmz security John Tolmachoff (Feb 17)
- RE: Question about dmz security Daniel R. Miessler (Feb 18)
- RE: Question about dmz security Jeremy Gaddis (Feb 20)
- RE: Question about dmz security Daniel R. Miessler (Feb 18)
- Re: Question about dmz security abretten (Feb 17)
- RE: Question about dmz security Garbrecht, Frederick (Feb 17)
- RE: Question about dmz security Marc Suttle (Feb 17)