RE: Basic Network Configuration

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: 'Ansgar -59cobalt- Wiechers' [mailto:bugtraq () planetcobalt net]
> Sent: October 16, 2003 12:40
> To: security-basics () securityfocus com
> Subject: Re: Basic Network Configuration
>
>
> On 2003-10-16 David Gillett wrote:
> > On October 16, 2003 03:25 Ansgar -59cobalt- Wiechers wrote:
> > > On 2003-10-15 David Gillett wrote:
> > > > One implements a DMZ in order to impose three sets of
> > > > firewall rules:
> > > >   - between the internet and the DMZ subnet
> > > >   - between the internet and the trusted subnet
> > > >   - between the DMZ subnet and the trusted subnet
> > >
> > > IMHO the second rule is void, since no traffic should 
> bypass the DMZ.
> > a)  WHY???  So a compromised DMZ host can sniff it?
>
> Because you don't want any traffic to go directly from the 
> hostile world
> to your LAN and vice versa. That's why you have proxies in the DMZ.
>
> > b)  Voiding the second rule means totally trusting all traffic
> > that originates from your internal network.  In 1993, you could
> > usually get away with that.  In 2003, you CAN'T.  You MUST
> > filter that traffic; whether you do it in one place or two, you
> > still have that second rule.
>
> I don't get your point. There shouldn't be any unfiltered traffic
> between your LAN and the Internet. You put proxies into the DMZ and
> block any direct traffic between LAN and internet. But again: I may be
> missing something here.

  IF everything your users need to be able to reach the Internet
with CAN be proxied, and management will pony up the cash for a
proxy server and software, then yes, the proxy server should go in 
the DMZ.  Not every organization can justify both the restriction 
and the expense.
  A proxy means that there is no direct traffic ONLY if there are 
rules on the firewalls that prohibit direct traffic.  (A "deny all" 
rule is still a rule.)  So for organizations that deploy a proxy
this way, the second ruleset is extremely simple -- but not void.

David Gillett



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------