Re: DMZ best practices

["John Kozubik" <john_kozubik_dc () hotmail com>]

Perry,

A lot of whiz-bang firewall packages offered these days (Checkpoint 
software's FireWall-1 comes to mind) offer you the ability to implement 
a 'DMZ'.

Now this is all fine and good from a marketing standpoint for these 
companies, as it sounds like they have some new featureset that we 
should all get excited about ... but in reality it is not that big of a 
deal.

Set up your firewall, put machines behind it, then, between your 
firewall and the router, throw in a hub - now put a machine on the hub.  
Boom - you have a DMZ.  So the first point I would like to make is that 
a DMZ is not a _feature_ because all it means is a machine or set of 
machines outside the firewall.  Those machines can even be in the same 
subnet that the firewall and the protected machines are in.

Now, it is possible to put three NICs in your firewall, and then set up 
a filtering policy between the outside world and machines off of NIC #1, 
and set up a less stringent (or complete passthrough) filtering policy 
between the outside world and machines off of NIC #2.
This is not exactly a DMZ, but a lot of vendors call it that.  This is, 
at best, a psuedo DMZ, because the machines are still behind the 
firewall.  

The DMZ is _not_ protected by a firewall, or else it is not a real DMZ.

Now, what kind of machines would you put in the DMZ?  Not many, in my 
opinion.  Mail, news, www, etc. should _always_ be behind a firewall 
with a security policy in place.  Now maybe your firewall (as stated 
above) calls an area with a less stringent security policy a DMZ - if 
they do, fine.  Whatever you call it, don't put these critical machines 
_outside_ the firewall.  As of this writing, the only machine I can 
think of that belongs outside of the firewall is a data collection 
machine for intrusion detection - and it forwards that data to an 
analysis machine _behind_ the firewall.

I would also put a hub between the router and the firewall - even if you 
don't connect a data collection machine there.  This way, if there is 
ever an emergency and you need to throw something outside the firewall 
(during an attack, for instance) you can do so without unplugging the 
network briefly.  Also, you can put in a second or third collection 
machine without disrupting network traffic.

So therefore, I guess it all comes down to what you are defining as a 
DMZ.  If you use the "real" definition, then no, your mail, etc. 
machines do not belong there.  If you are using a definition printed on 
some glitzy box quoted from the PR material, well maybe it does - as 
long as it is behind the firewall.


kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com