Re: Proxy & Firewall Implementation

[miguel.dilaj () pharma novartis com]

Hi John,

Other than the good answer from Florian, I'm going to make a few points:

a) public services have to be in a DMZ because are the ones than can be 
hacked into from the outside, and you don't want the attacker to be 
already inside your LAN
b) some private services (for example a DB) can be inside a second DMZ
c) the main idea of a DMZ is that no connections can be established FROM 
it, only TO it. There is no reason for someone being logged in into a 
server establishing outgoing connections.
d) whatever firewall you decide to use, this box MUST NOT have network 
access to it (ok, some people will say that to ease administration you can 
still allow something like SSH, I tend to agree, but be very careful with 
its configuration and updates), any service you allow is another potential 
way of entry for an attacker, and definitely you don't want anyone 
compromising your firewall and tampering with its configuration
e) As you're quite new to the IT Sec field, I agree in Florian's 
suggesstion on the firewalls book (or any other good book on that topic).
f) It can be also interesting for you to read some of the Linux HOWTO 
documents related to firewalls & DMZ, even if you are not going to 
implement a Linux firewall, at least they are free of charge at 
www.linuxdocs.org
g) Implementing DMZ(s) requires either a flexible firewall box with 
several NICs, or sepparate firewalls. From the point of view of making the 
infrastructure solid, I tend to agree with the multiple firewalls 
configuration
h) Last: remember that a firewall is not the final solution to all your IT 
Sec problems, not even close to that. It just restricts what services can 
be accessed and from where, but if a service (any service) is available, 
it can be a potential avenue of entry for an attacker

> From the things you mention as needed, you can have a setup like:

Internet
     ¦
FW 1 (external)
     ¦
public services (you can put the proxy here)
     ¦
FW 2 (internal)
     ¦
LAN-----FW 3 (internal)-----private services

or any similar setup. If you've more than 1 department in your company you 
can also make sepparate sections of the LAN using firewalls if required 
(for example, protecting the R&D area from employees in the Finance area 
and the opposite, etc.).

That "blackhat" made a good suggestion. Your services won't be exposed, 
will be protected by the external firewall. AND your internal network will 
be protected from "someone" in your servers by the internal firewall. I 
think that his/her hat was not so black ;-)
Good luck!
Regards,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG






John <naverxp () yahoo com sg>
13/01/2005 01:04

 
        To:     security-basics () securityfocus com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        Proxy & Firewall Implementation


Hi

I'm a fresh graduate in System Administrator field. Recently, with much 
of luck, i was recommended to a company to implement a firewall system 
to their network infrastructure. I hope to pick some experience from 
this forum as to how people in here might consider different 
circumstances when placing their proxy server inside a protected network 
(behind the firwall) or before the firewall. Would i need two firewalls? 
(i'm considering the Cisco FW, and CyberGuard FW).

During my research, i found a documentation written by a blackhat whom 
suggested to allocate DMZ most of my services (httpd, mail, etc) outside 
the internal network and make redundancies everynight. My 2nd question, 
why did he suggested that? why expose my services outside the network 
where my information are Live and exposed to the risk of being 
compromised.

John