Firewall Wizards mailing list archives

Re: segmentation of DMZs

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 17 Nov 2002 00:56:31 +0100


Hullo,

As usual, I'm disagreeing with stuff :)

Carson Gaspar wrote:


b) Every system is on a seperate segment

Con:

Address space nightmare (can be solved with a bridging firewall)


I personally think that I have quite a bit of experience with segmenting 
public as well as private boxes.  We've got about a dozen zones at the
head office network.  I've personally got _five_ zones in my home 
network! :)

Of course, my experiences in this area is mainly limited to using our 
gear, but, at least from that perspective, I can't agree with this 
address space nightmare objection.  With a reasonable proxy arp setup, 
spreading a single /28 over half a dozen zones is, in my experience, 
not a problem at all.  And this is with routing firewalls, mind you.

In fact, separate zones can make some things easier, for instance when 
address translation is involved. In a flat DMZ with private addresses, 
one needs to make sure that the boxes involved always connect to the
private addresses if they need to talk to eachother, OR, if they 
ever connect to the public addresses (because, say, that's where the
MX pointer points?), one needs to also translate the SOURCE of requests 
as they pass through the firewall, so that the response always passes 
back through the firewall.  (If the client sent its TCP SYN to 1.2.3.4, 
it will NOT accept ACKs from 10.0.0.5!)

With a fully segmented DMZ, this "just works", since all packets
always travel through the firewall.

Application architecture must be explicitly provisioned, every time it
changes (may be seen as a Pro)


Definately a pro :)

Enormous firewall port count (802.1q helps)


Um. 
"I want to install a firewall. 
 Pro: This can help security.
 Con: You need a firewall." 
...? :)

I'd just like to add a word of caution: I personally do not want to
trust the more sensitive separations to VLANs. I've seen way too
many switches go Tango Uniform just because a mac address in
port based VLAN 1 suddenly appears on port based VLAN 2.
Aren't they supposed to be _separated_? :)

Of course, this doesn't mean that one shouldn't use VLANs at all.
If I have a dozen machines that I want to separate, but only a 
handful of physical interfaces, maybe I can group them into a few
major trust levels and give each group a physical interface each. 
Then I can use separate VLAN switches to further separate the 
boxes in each group.

Complex routing / bridging


- Set all boxes to use the same network
- Set route to box1 through if1
- Set route to box2 through if2
- Set route to box3 through if3
  (etc...)
- Enable proxy ARP for all routes/interfaces involved.
- Done.

Of course, if you can't do proxy ARP, or use a firewall with very
rigid ideas of how routing tables should look, I can definately see 
how this rapidly can become very ugly.

High operational / debugging complexity


Why? All of a sudden I can even get logs of all connections opening
and closing, which I couldn't easily get before.  I can even do
monitoring and alerting when connections that I expect to happen 
suddenly _aren't_ happening between two boxes!

However, if by this you meant "it takes more time to set up", _that_
I can agree with.  You need to understand the protocols that the boxes 
want to use.  You need to not accept blanket vendor statements of 
"open ports x,y,z and 1024-65535 in both directions", etc. But that's
part of securing _anything_.



Now, I'll add a con of my own:

Protocols not designed to live outside a single LAN are a PITA.
No, I'm not necessarily thinking of windows networking here; that 
can usually be solved with WINS and/or lmhosts files.  I'm thinking 
about ones that absolutely need to use broadcasts and scream UDP 
at eachother on random ports.  Ick.  If you get one of those, you
can basically forget about separation.  Maybe you can shoehorn a 
firewall in between two such boxes, but you'll likely end up opening 
so many ports that the value in separating them becomes highly 
questionable.  Fortunately, most protocols don't behave this way.




-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
  - Re: Mainframes on the Net? Barney Wolff (Nov 13)
  - segmentation of DMZs Shimon Silberschlag (Nov 14)
    - Re: segmentation of DMZs Paul D. Robertson (Nov 14)
    - Re: segmentation of DMZs Carson Gaspar (Nov 14)
    - Re: segmentation of DMZs Mikael Olsson (Nov 16)
    - Re: segmentation of DMZs Carson Gaspar (Nov 17)
    - Re: segmentation of DMZs Miles Sabin (Nov 15)
    - RE: segmentation of DMZs Ofir Arkin (Nov 18)
  - Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- Re: Mainframes on the Net? R. DuFresne (Nov 13)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
  - RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? ark (Nov 15)

(Thread continues...)