Re: Basic Network Configuration

["'Ansgar -59cobalt- Wiechers'" <bugtraq () planetcobalt net>]

On 2003-10-16 David Gillett wrote:
> On October 16, 2003 03:25 Ansgar -59cobalt- Wiechers wrote:
> > On 2003-10-15 David Gillett wrote:
> > > One implements a DMZ in order to impose three sets of
> > > firewall rules:
> > >   - between the internet and the DMZ subnet
> > >   - between the internet and the trusted subnet
> > >   - between the DMZ subnet and the trusted subnet
> >
> > IMHO the second rule is void, since no traffic should bypass the DMZ.
>
> a)  WHY???  So a compromised DMZ host can sniff it?

Because you don't want any traffic to go directly from the hostile world
to your LAN and vice versa. That's why you have proxies in the DMZ.

> b)  Voiding the second rule means totally trusting all traffic
> that originates from your internal network.  In 1993, you could
> usually get away with that.  In 2003, you CAN'T.  You MUST
> filter that traffic; whether you do it in one place or two, you
> still have that second rule.

I don't get your point. There shouldn't be any unfiltered traffic
between your LAN and the Internet. You put proxies into the DMZ and
block any direct traffic between LAN and internet. But again: I may be
missing something here.

> > > If, instead, you use two boxes, your traffic between the internet
> > > and the trusted subnet incurs an extra router hop in each
> > > direction.  Not a big deal, but performance purists tend to
> > > complain about firewall overheads already. Two firewalls will not
> > > necessarily cost more than one, if you can get away with SOHO
> > > models that only have two interfaces instead of industrial-
> > > strength boxes which typically support three or more.
> >
> > I have to disagree on this. Two firewalls *will* cost more than one
> > because you will have to maintain (confguration, patches, ...) two
> > different systems. There is no point in implementing the same
> > firewall twice (with different rulesets) because in that case both
> > systems will most likely be vulnerable to the same exploits.
>
> You're not disagreeing AT ALL, unless you consider deployment of
> cheap SOHO firewall appliances acceptable for a site that hosts
> services in a DMZ.  You don't, do you?

Out Of Caffeine Error.

My bad. I overlooked the SOHO point and objected just to the "will not
necessarily cost more". Of course you are right that a cheap appliance
won't be acceptable in almost any case.

> > > But if you use two boxes, then your rules that govern traffic
> > > between the internet and the trusted subnet may appear on either
> > > box -- are, in fact, the intersection of rules found on both
> > > boxes.
> >
> > I don't see many reasons why traffic should bypass the DMZ -
> > provided you are already going to the trouble of implementing a
> > 2-device setup. OTOH I may be missing something here.
>
> Read twice, answer once. In the two-box case, internal<->internet
> traffic DOESN'T bypass the DMZ. I consider that a problem, you don't.

Correct. IMHO the traffic should go through proxies in the DMZ
regardless of the type of setup you have.

> But my point here is that in the two-box case, that traffic has to
> cross both boxes -- and gets filtered by rules on BOTH boxes. This
> isn't just inefficient, it's also hard to manage.

I fully agree on the point that it is hard (or at least harder) to
manage. That's why in some cases it might be useful to give up on the
extra security a second (different) firewall adds to the network and
have a three-way setup with only one firewall.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------