Firewall Wizards mailing list archives
RE: Rationale of the great DMZ
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Wed, 10 Jul 2002 14:21:06 -0500
-----Original Message----- From: Paul Robertson [mailto:proberts () patriot net] Sent: Wednesday, July 10, 2002 12:40 To: Scott, Richard Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Rationale of the great DMZ On Wed, 10 Jul 2002, Scott, Richard wrote:Readers, It comes obvious in many situations that these days the interpretationof aDMZ and its implied security has changed. Originally, DMZ's were thezoned While I'll agree that the level of security has changed, I'm not sure the original zoning concept has- let's not forget that what's allowed in and out of the internal network has changed as well.
I have been involved with numerous conversations with folks who no longer see the value and need of DMZ's given the nature of the application filtering proxies that exist today. I personally can't seem to get my hands comfortably around that statement and environment, but apparently some can... either way, it makes for an interesting perspective on the points that Paul and Richard are bringing up.
area where systems were placed, that, if they were compromised, wouldn't directly comprise the internal system. The idea is that systems wereplacedin the DMZ were that they should not contain sensitive access points intothe internal network. More so, data would be pushed to these systems intheDMZ and data obtain via some proxied effort. Network activity wouldn't necessarily begin from the DMZ and be tunneled in to the internalnetwork. More pointedly, it's that traffic coming from the outside be controlled and cordoned (for instance, SMTP traffic has almost always come from outside-- except in really paranoid places that UUCP out to get mail from a DMZ SMTP server.)
Like I mentioned, I know of numerous folks who are starting to contend that (for example) with SMTP proxy capabilities, there is less and less of a reason to offload SMTP inbound to a DMZ system then have it come into the network from the DMZ since the firewall can filter clear up to layer 7 anyway...
From what I have seen, the advent of SSL accelerators, hybrid firewallsanddata encryption technology the traditional DMZ is being depleted for amoretrusted zone environment.This seems to be true overall, where people take time to seperate by function, access control or sensativity.
Like mentioned, I am seeing it the other way as well - simplifying the design to encompass an application proxy only as the line of delineation...
Some points I have noted: (1) Commonly SSL accelerators terminate the SSL end point prior to the web services receiving the HTTP data.True, but typically on a DMZ, the exposure is the accelerator and the Web server- and it's not like the Web server's exposure is lessened in any case.(2) Firewalls are placed between servers and are more passive between the DMZ and the internal network. (3) Certain data like credit card data is encrypted, and since this is perceived as being secure, more trusted and sensitive data is placed intheDMZ. without thought to the very nature of how this data could be easily decrypted, or captured prior to it being stored encrypted.This is unfortunately one of the bigger problems out there. You'd think the lessons of Egghead, et al. would have shown people the errors of placing CC data on servers outside the perimeter.
Agreed. What really frightens me is the stance that "since the DMZ is an 'archaic' solution", that the "perimeter" is effectively the firewall doing application filtering. A point that I have made is that a compromised host on a DMZ only has network access (typically) to other hosts on the DMZ, as opposed to a compromised host on the internal net having access everywhere (and this doesn't even get into issues regarding sites that have no outbound filtering rules...) <snip>
(2) The implicit trust between applications and databases between the DMZ and the internal network means, that once a compromise has occurred, tunneling in to the corporate network becomes more easily penetrable.THis depends on the exposure allowed inside- typically only DB traffic at the sites I've looked at/been involved in designing.
True, and taking it further, I know of a number of sites that are extremely restrictive of what passes between the two. Compromising the DMZ host does not necessarily mean that "free and easy" access can now be gained to the internal net. <snip>
(5) Cyclical redundancies in network traffic, as VPN's are set up to obtain data feeds but the feeds terminate on different hardware that is insecure both at the network through to the application levels.Not sure I get this one...
I think he might be talking about terminating VPNs in such a manner that concern is not paid to what traffic can go between VPNs, but only what traffic may come into the internal net, thus one could jump from VPN1 to VPN2 and potentially gain access to resources that they otherwise should not be able to... _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rationale of the great DMZ Scott, Richard (Jul 10)
- Re: Rationale of the great DMZ Paul Robertson (Jul 10)
- <Possible follow-ups>
- RE: Rationale of the great DMZ Noonan, Wesley (Jul 10)
- Re: Rationale of the great DMZ Steven M. Bellovin (Jul 13)
- Network "tap" (was Re: Rationale of the great DMZ) firewalls (Jul 18)