Re: Why is this secure??

[Lars Kronfält <lakr () bofh maldata se>]

This might not be the true answer to your questions, but I wanted to help
you a little bit with the config.

IMHO you are on the right track.
Using a DMZ and a proxy firewall is ( IMHO ), the most secure thing.

For the configuration, you might want to take a look at:
http://www.tis.com/support/maincf.html

Look for 'transparency' and 'Service network AKA the third interface'.
This info is quite old, but the way of thinking with Gauntlet has not
defered that much, you can't do it like this, but you might understand the
way of thinking.

BTW, I hope that you are using Gauntlet for Unix, and not Gauntlet for NT.
Even if it's the same name and company, it is not the same product.
Upgrade to version 5.5 for Unix ( it might not be an official release, but
it's there, trust me ).

You do want to use RFC 1918 adresses in the DMZ, and only use NAT on the
outside interface. ( I hope that you use RFC 1918 on the inside )

Then you put up plug-gw between the inside machine and the webserver on
the DMZ ( the plug-pdg got a small memory leak, might need to be restarted
after a month or so, depending on load. And I don't think that you will
experience problem using a -gw between inside and DMZ. ). Think about the
handoff adresses, probably won't have to bind adressess, but I'm not sure.

Then config a plug-gw on the outside network, doing handoff to the
webserver. ( You use the same service, but for different networks,
interfaces, and adresses ).

Think about that Gauntlet must know the routes to the machine on the
inside, and the DMZ. The machines doesn't. They throw the packets to
default gw ( Gauntlet ) and the firwall control where to put them.
Where you want to put the routing in Gauntlet is up to you, this could be
done in a few ways.

Hope this helps.
And if I get some time over today ( tomorrow .... ) I might try the answer
your questions.

// Lars


( The opinion in the letter is mine, not to be confused with that of my
company )



On Tue, 23 Nov 1999, Steve Meeters wrote:

> I'm not a security expert but have been asked to find a way to allow
> customers on the Internet to look up parts information on a server behind
> our firewall. The server has a lot of business applications on it and can't
> be put in front of the firewall. We are using a Gauntlet firewall. 
>
> I have been reading and following discussions on this list for a while and
> have come up with a plan to put an external web server on the third leg of
> the firewall and have customers go to this web server, fill out a request
> form and submit it. Using cgi scripting, the web server will send the
> request through the firewall to the internal server which will then send the
> requested information back to the web server, which will forward it to the
> customer. 
>
> Like I said, I'm not an expert at this and have come up with this plan based
> on what I've read here and in some books. What I need to know is why is this
> more secure than letting Internet traffic through the firewall directly to a
> web server on this internal system? Putting up an external server is going
> to cost more, we'll need another system, web software, and another interface
> for the firewall. 
>
> What threats am I specifically opening our network up to by creating a rule
> that allows all traffic to the internal server? I read this is a bad idea
> but why can't the firewall protect against this? Assume for the sake of
> argument the firewall is secure.
>
> What protection does this type firewall still provide to our network if this
> rule is in place? At what OSI levels?
>
> In my plan a rule will be created that will only allow traffic coming from
> the external web server to pass through the firewall to the internal server.
> This narrows the field from everyone on the Internet to just the one server.
>
>
> How does this help secure the internal network?
>
> If the external server is compromised doesn't the attacker now have a open
> path to the internal server, the same as if the external server wasn't there
> at all?
>
> I know these questions sound elementary to you but I drew the short straw on
> this one. I think I am heading towards a relatively secure solution, but I
> need to justify the $$$.
>
> Thanks for your help
>
> Steve Meeters
> meeters () excite com
>
>
>
>
> ________________________________________________________________
> Get FREE voicemail, fax and email at http://voicemail.excite.com
> Talk online at http://voicechat.excite.com