RE: DMZ - the physical layer

[fernando_montenegro () hp com]

Hi!

This question is one of those where you *really* need to ask yourself about the  
risks and benefits of all approaches.

Glossary:
"firewall LANs" - all the networks between the external router's ethernet  
interface and the internal router's "outer" interface.
"corporate LANs" - all the networks in the corporation up to the internal  
router's internal interface (ie, not the firewall LANs)

Possible scenarios:
1) Using separate hubs/switches for each subnet in your firewall LANs:
Pros - Virtually impossible to have traffic mixed up without physical access to  
the rack
     - Virtually impossible to change DMZ setup without physical access to the  
rack
     - Probably Cheaper to buy multiple simple hubs/switches than one fancy,  
larger, switch.

Cons - Adds complexity to hardware needs, such as extra rack space, extra power  
outlets, ...
     - Makes changes to a LAN (such as adding servers to the web farm) harder
     - Makes a more resilient (not HA) configuration harder: more individual  
components to duplicate

2) Using one switch for all the firewall LANs, separate from any corporate LAN  
switches:
Pros - Simpler hardware requirements (power outlets, rack space, possibly  
cabling)
     - Much easier to add resilience (only one place to add redundant power  
supply, for example)
     - Much more versatile configuration (only logical changes in VLANs)

Cons - Flexibility in VLAN configuration introduces possibility for DMZ setup  
errors because of human mistakes
     - The existence of bugs in the switching gear might lead to DMZ  
compromise, such as access to "internal" traffic

3) Using the same switch for firewall LANs and corporate LANs:
Pros - Much simpler hardware requirements (power outlets, rack space, possibly  
cabling)
     - Much easier to add resilience (only one place to add redundant power  
supply, for example)
     - Much more versatile configuration (only logical changes in VLANs)

Cons - Flexibility in VLAN configuration introduces possibility for DMZ setup  
errors because of human mistakes
     - The existence of bugs in the switching gear might lead to DMZ  
compromise, such as access to "internal" traffic

Personally, I would strongly advise everyone to stay off option "3": the  
simpler hardware requirements do not justify the risk associated with having  
internal (as in SAP, payroll, ...) corporate traffic showing up on an external  
web server's (possibly compromised) collision domain...

Choosing between 1, 2 or variants is really up to policy and the functionality  
associated with each subnet in the firewall LANs. I have seen setups similar to  
"2", but with two switches: one for "external" and "service" subnets and  
another for "internal" or "admin" subnets.

I know people who will accept nothing but "1" and some that feel the benefits  
of "2" pay off the increase in associated risk.

Caveat emptor.

Hope this helps.

Cheers,
Fernando
--
Fernando da Silveira Montenegro     Hewlett-Packard Brasil
HP Consulting - IT Security         Al. Rio Negro, 750 - Alphaville
mailto:fernando_montenegro () hp com   Barueri, SP - Brazil 06454-000
voice: +55-11-7297-4351             #include <disclaimer.h>


> -----Original Message-----
> From: johnjohn () triceratops com [mailto:johnjohn () triceratops com]
> Sent: terça-feira, 7 de março de 2000 23:32
> To: firewall-wizards () nfr net
> Cc: johnjohn () triceratops com
> Subject: [fw-wiz] DMZ - the physical layer
>  
>  
> I was looking through the archives of the greatcircle
> firewall list and came across some opinions regarding
> the construction of DMZ's.
>  
> I'm using Baystack 450's as my backbone switches.
> Bay 450's have a virtual lan function which can
> be used to limit a collision domain to specific
> ports.  I was planning on using this function to
> create the DMZ.
>  
> However, I ran across some opinions that this type of
> action was quite foolish.
>  
> Can someone give me the cons to this proposal?
>  
> An option would be to buy a cheap Netgear switch  
> (under $500) to be a physically separate DMZ.  
>  
> Pros and cons on that vs the virtual lan?  $500
> is a small price to pay if there are security problems
> when using a vlan aa a DMZ.
>  
> John
>