Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall and DMZ topology

From: "Daniel B. Cid" <danielcid () yahoo com br>
Date: 10 Jun 2003 14:52:57 -0400
You are missing the point. Tha basic idea is that the firewall will
only allow conections from the LAN to the DMZ port 25 (keep state),
not the reverse and not other connections. So the LAN will be isolated
from the DMZ ... If someone crack the DMZ will be unable to see or to
interact with the LAN. The attacker will only be able to see the email
messages (PGP is for that), nothing more..

[]`s

Daniel B. Cid


On Tue, 2003-06-10 at 13:58, Erik Vincent wrote:
Lets put it in ASCII.

  Internet <-> Firewall <-> LAN
                                    <->  DMZ  (MAIL server)

If the MAIL server is in the DMZ. You still will have the same problem.

If the MAIL server is crack,  since your LAN user need access to your 
MAIL server in the DMZ,
password will still be sniffed. The only thing good i can see with this 
configuration, is the traffic between the LAN
and the internet wont be sniffed (If you have configured a proxy server 
in the LAN portion of the network).

Or I'am missing something... 8-)

ed wrote:


This won't be safe for the following reason.

Say that we go for the two NIC approach. If the mail server is
compomised (but not the firewall, an attack that makes use of a port
that will be forwarded to the mail server) then the attacker will be
able to sniff all the traffic on the internal side of the firewall, he
will thus be able to get hold of information, passwords etc. etc. from
the TCP/IP streams of the computers that are supposed to be shielded
from the internet -and- from the DMZ.

If we use three NICs then this can't happen unless the firewall is
compromised. Its far less likely that the firewall will compromised if
properly configured than a machine in the DMZ will be compromised.

On Mon, 2003-06-09 at 23:53, Mann, Bobby wrote:
 


You can deploy a safe networking environment using a firewall with only two
nics. 

Just use port address translation (PAT) to forward any request on port 25 to
your mail server, which is on the internal network.  

Is this secure?  Sure, if you lock down your access-lists correctly, harden
your OS, mail server and clients.

You should ask yourself why you need a firewall with a DMZ port.  It would
be nice to seperate public services vs. private but not necessary if money
is a big issue and sounds like it is.

Btw...  If you really insist on having a DMZ and can't buy a firewall, then
see if you can put 2 ip addresses on the same Internal NIC.  Create two
seperate networks on the same LAN (trunking would be better).  This way all
clients must still pass through your firewall to hit the mail server.

Bob.

-----Original Message-----
From: Des Ward
To: 'William J. Burgos'
Cc: security-basics () securityfocus com
Sent: 6/9/03 10:46 AM
Subject: RE: Firewall and DMZ topology

Basically, you're going to have to get a machine with three NICs.  The
purpose of a DMZ is to segment machines from your internal network
whilst
still providing protection for them.

Any other solution will just not give you the right balance of security.

Sorry

-----Original Message-----
From: William J. Burgos [mailto:wjburgos () white-bear-productions com] 
Sent: 07 June 2003 15:06
To: security-basics () securityfocus com
Subject: Firewall and DMZ topology

Greetings list,

I would like to set up a SOHO network with a firewall and DMZ for mostly
web serving and email. Of course, there are private PCs on the internal
network, Windows and Linux.

My connection is a dynamic IP on a pppoe and I already have an old
laptop used as a simple firewall setup. 

I am considering separating my web and email server to a dedicated
machine and placing it in a DMZ.

In searching on the web, I came up with a few topologies and I would
like to ask the list of their opinion.

I have sketched out a few scenarios below:

1. | Internet |-->| Firewall |-->| DMZ |-->| internal network |

This scenario (1) puts the DMZ between the firewall and internal
network. I have read that this is insecure as if the DMZ is compromised,
so will be the internal network. Is this true?

2. | Internet |-->| Firewall |--->| internal network |
                 |          |--->| DMZ |

This scenario (2) uses three NIC's for the firewall. One for the
internal network, one for the DMZ and one for the Internet. I have read
that this is a Three-legged firewall setup. The drawback is that I would
need three NIC's for the firewall which is now a laptop with only two.

3. | Internet |-->| DMZ with Firewall |-->| internal network |

This scenario (3) places the DMZ with the firewall on one box and then
to the internal network. My concern is if I can secure the DMZ from the
firewall on one box. Is there a way to secure this setup?

4. | Internet |-->| DMZ |-->| Firewall |-->| internal network |

This scenario (4) places the DMZ before the Firewall which leaves it
open to the Internet. Is there a way to secure this setup? 

I am trying to avoid having to get another box with three NIC's for
Scenario 2, if possible. However, I would feel safer in a less easy to
break in setup.

Any comments or suggestions would be appreciated.

Thanks in advance.

William Burgos


------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
   





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: