RE: DMZFrom: Bill Mote (firstname.lastname@example.org)
- Previous message: Terry: "RE: DMZ"
- In reply to: Carol Wood: "DMZ"
- Next in thread: email@example.com: "RE: DMZ"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bill Mote" <firstname.lastname@example.org> To: "Carol Wood" <email@example.com>, <firstname.lastname@example.org> Date: Wed, 16 Jan 2002 10:57:57 -0500
A partitioning off a DMZ behind your firewall is a *great* idea! I'll
define a few things and then I'll show you a rule base that you might
consider (very basic stuff here).
x.x.x.x --> Private LAN Servers, workstations, printers, etc.
y.y.y.y --> DMZ hosts (NAT'd numbers like 192.168.2.x can be used as well as
public IP addresses. It's up to you.)
y.y.y.a --> Your firewall
Rule #1: Any Source destined for the 'firewall' on any service drop it and
Rule #2: x.x.x.x destined for anywhere on any service allow it and do not
Rule #3: Any Source destined for your web server (y.y.y.b) on port 80 allow
it and do not log it
Rule #4: Any Source destined for any Destination drop it and log it
That config sets your network up in what is called, "A mostly closed
environment." Or, you've denied all traffic by default (rule #4) and *must*
have rules on the firewall telling it was *is* acceptable.
In this scenario no one can talk to your firewall for any reason. Your lan
servers, workstations, printers, etc will be able to talk to anything. And
finally, only INBOUND http traffic will be accepted for your web server.
In this design if your web server were compromised it wouldn't have
permissions to talk to *anything*! That's why you create a DMZ. Hosts
exposed to the internet for publicly accessible servers go there (SMTP
servers, FTP servers, HTTP servers, etc.)
Now, something we've done along with that is to use a basic IP numbering
x.x.x.1-15: network gear (switches, routers, etc)
x.x.x.51-99: printers and other network attached IP equipment
x.x.x.100-254: DHCP clients
That allows you to identify things in your logs quickly. Say you had a
machine trying to hack your servers and it was @ IP# x.x.x.75 ... well,
printers don't typically try to port scan your servers =)
A *simple* drawing of this network design can be seen as: Y One upper arm
of the Y is your LAN, the other is your DMZ with the Firewall at the
junction of the 2 arms and the base. The base represents your connection to
the internet. The firewall becomes a "choke point router," or the single
point all traffic must go through to talk to the others.
A more complicated (not really) design would be to separate off any dB
servers you have into yet another DMZ network. Why? Well, if your web
server needs access to data stored on a dB server but you don't want the
public to have access to the server itself then you could make a w.w.w.w
network to host those.
You'd add a rule between #3 and #4 above that would be something similar to:
y.y.y.b destined for w.w.w.b on port SQL (or whatever) allow it and do not
That would mean that your LAN equipment could talk to all boxes, your web
server can talk to your dB server on 1 specific port and nothing else. By
doing this you've made your network more secure because the dB server is
never exposed to public scrutiny and yet the data is still available to your
web server. If someone manages to compromise your web server using only
HTTP then they'd still only be able to talk SQL to your dB server ... very
p.s. sorry if this is jumbled up. typed as I thought (there's a little
insight for you <grin>)
This is somewhat in line with Andrew Langton's
I run a mostly Microsoft NT 4.0 network with some
Linux servers. We have two locations connected by
a T1, 3 NT Domains. Simple little network. We do
host a few web sites as well.
However, we are going to be switching ISPs and I
want to redesign our network. Help me understand
the DMZ config.
I have a consultant that does not recommend a DMZ -
- he says it does not translate to added security. He
says that a firewall is all you need.
I also was interested in using non-routed IP
addresses and his response is that this will result in
too many machines required in the DMZ = less
So IF YOU were going to redesign your network, what
would YOU do?
I appreciate any constructive feedback and
suggestions that you may have. Thanks in advance
for your help!!!
Carol P. Wood
Director of IT
System Planning Corporation