Security Basics mailing list archives
Re: Basic Network Configuration
From: "'Ansgar -59cobalt- Wiechers'" <bugtraq () planetcobalt net>
Date: Thu, 16 Oct 2003 21:40:23 +0200
On 2003-10-16 David Gillett wrote:
On October 16, 2003 03:25 Ansgar -59cobalt- Wiechers wrote:On 2003-10-15 David Gillett wrote:One implements a DMZ in order to impose three sets of firewall rules: - between the internet and the DMZ subnet - between the internet and the trusted subnet - between the DMZ subnet and the trusted subnetIMHO the second rule is void, since no traffic should bypass the DMZ.a) WHY??? So a compromised DMZ host can sniff it?
Because you don't want any traffic to go directly from the hostile world to your LAN and vice versa. That's why you have proxies in the DMZ.
b) Voiding the second rule means totally trusting all traffic that originates from your internal network. In 1993, you could usually get away with that. In 2003, you CAN'T. You MUST filter that traffic; whether you do it in one place or two, you still have that second rule.
I don't get your point. There shouldn't be any unfiltered traffic between your LAN and the Internet. You put proxies into the DMZ and block any direct traffic between LAN and internet. But again: I may be missing something here.
If, instead, you use two boxes, your traffic between the internet and the trusted subnet incurs an extra router hop in each direction. Not a big deal, but performance purists tend to complain about firewall overheads already. Two firewalls will not necessarily cost more than one, if you can get away with SOHO models that only have two interfaces instead of industrial- strength boxes which typically support three or more.I have to disagree on this. Two firewalls *will* cost more than one because you will have to maintain (confguration, patches, ...) two different systems. There is no point in implementing the same firewall twice (with different rulesets) because in that case both systems will most likely be vulnerable to the same exploits.You're not disagreeing AT ALL, unless you consider deployment of cheap SOHO firewall appliances acceptable for a site that hosts services in a DMZ. You don't, do you?
Out Of Caffeine Error. My bad. I overlooked the SOHO point and objected just to the "will not necessarily cost more". Of course you are right that a cheap appliance won't be acceptable in almost any case.
But if you use two boxes, then your rules that govern traffic between the internet and the trusted subnet may appear on either box -- are, in fact, the intersection of rules found on both boxes.I don't see many reasons why traffic should bypass the DMZ - provided you are already going to the trouble of implementing a 2-device setup. OTOH I may be missing something here.Read twice, answer once. In the two-box case, internal<->internet traffic DOESN'T bypass the DMZ. I consider that a problem, you don't.
Correct. IMHO the traffic should go through proxies in the DMZ regardless of the type of setup you have.
But my point here is that in the two-box case, that traffic has to cross both boxes -- and gets filtered by rules on BOTH boxes. This isn't just inefficient, it's also hard to manage.
I fully agree on the point that it is hard (or at least harder) to manage. That's why in some cases it might be useful to give up on the extra security a second (different) firewall adds to the network and have a three-way setup with only one firewall. Regards Ansgar Wiechers --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Re: Basic Network Configuration, (continued)
- Re: Basic Network Configuration Anders Reed-Mohn (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 15)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 15)
- Re: Basic Network Configuration Valter Santos (Oct 15)
- RE: Basic Network Configuration David Gillett (Oct 15)
- Re: Basic Network Configuration DRAx (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration DRAx (Oct 16)
- Re: Basic Network Configuration Ansgar -59cobalt- Wiechers (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 16)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 16)
- RE: Basic Network Configuration David Gillett (Oct 17)
- Re: Basic Network Configuration 'Ansgar -59cobalt- Wiechers' (Oct 17)
- Ports used by VTAM Naren - Pactech (Oct 17)
- RE: Basic Network Configuration David Fore (Oct 15)