RE: DMZ - Question

["Dan Lynch" <DLynch () placer ca gov>]

Pablo,

There shouldn't be a need to NAT traffic between the DMZ and private
network. You should only need to NAT at the internet perimeter. But that
depends on the IP ranges you're using too.

I concur with Ansgar that connections from DMZ hosts to private network
hosts are to be discouraged. But it's advice that is sometimes not
possible to strictly follow. Your mail server is a perfect example. How
else to receive internet mail? Layer 8 restrictions may apply too.

But where possible, put those private network hosts that need to receive
connections from DMZ boxes into another DMZ layer - as below. Then
control what connections (if any) are allowed from DMZ1 hosts into the
private nets. A connection should have to pass through multiple layers
of control before reaching anything of value.


Private ----FW---switch---FW---Internets
nets        |        |
            |      router
           DMZ1      |
                    DMZ2

There are a lot of variables, but the general goals should guide you.
Control and audit that traffic, even if you can't perfectly restrict it.
And create as many distinct layers as needed to define and segregate
different security domains. Use DMZ1 for less-critical servers. Another
DMZ can be created for high-value servers (payroll, customer data, etc).
The private nets can then be reserved for users. But be careful - it
gets very complicated, very quickly. Firewall rulesets get very long
too, and mistakes become more likely.

One issue to be aware of has to do with default routes on DMZ hosts. As
you've presented it, the DMZ has two routes. In that config, either (1)
each DMZ host has a static route table for all private nets, or (2) you
rely on ICMP redirect packets for half your traffic. That's why I
included a router above. In my environment, there are too many DMZ
hosts, and too many private nets in too many diverse ranges that change
too frequently, to efficiently and accurately manage static route tables
on every DMZ host. Also, firewalls don't always like sending ICMP
redirects. YMMV. 

As above, the two firewalls and one router interface are on one IP
network. The second router interface and all DMZ hosts are on another.
Each DMZ host has a single default route (the router), and the router
determines which way a packet should go. It can participate in dynamic
route updates of your preferred flavor, or you can maintain static
routes there.

Finally, be aware that management doesn't always buy into the two-vendor
idea. Two different acquisition sources, and two different maintenance
contracts to manage. And the administrator needs to fully understand two
different FW implementations. Here, it didn't fly, regardless the
obvious security advantages.

Good luck,

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of hol64 () hotmail com
> Sent: Friday, October 26, 2007 8:41 AM
> To: security-basics () securityfocus com
> Subject: DMZ - Question
>
> I have to setup a DMZ on our network. Our current layout is 
> Internet Router <--> Firewall <--> WAN/LAN Router <--> Servers
>
>
>
> The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. 
> So the topology would be like this..
>
> Internet Router --> FW-1 <--> DMZ <--> FW-2 <--> WAN/LAN router. 
>
>
>
> On the DMZ we will have a Web Server that needs access back 
> to the Mainframe on the LAN, and a Mail server that need 
> access to another mail server on the LAN.
>
>
>
> One of my questions is the DMZ is in a /24 subnet and the LAN 
> is on a /16 subnet. Is the only way for the web server in the 
> DMZ to communicate with the inside LAN by NATting in the 
> FW-2. Isn't this creating a double subnet from the outside??
>
>
>
> I am working with 2 pix firewalls, and I am hoping to change 
> FW-2 to a different brand that has stateful inspection.
>
>  
>
>
>
> Please Advice,
>
>
>
> Thanks, 
>
>
>
> Pablo