RE: DMZ

From: Bill Mote (bill.mote@bigfoot.com)
Date: 01/16/02


From: "Bill Mote" <bill.mote@bigfoot.com>
To: "Carol Wood" <cwood@sysplan.com>, <focus-ms@securityfocus.com>
Date: Wed, 16 Jan 2002 10:57:57 -0500

Ms. Wood,

A partitioning off a DMZ behind your firewall is a *great* idea! I'll
define a few things and then I'll show you a rule base that you might
consider (very basic stuff here).

x.x.x.x --> Private LAN Servers, workstations, printers, etc.
y.y.y.y --> DMZ hosts (NAT'd numbers like 192.168.2.x can be used as well as
public IP addresses. It's up to you.)
y.y.y.a --> Your firewall

Rule #1: Any Source destined for the 'firewall' on any service drop it and
log it
Rule #2: x.x.x.x destined for anywhere on any service allow it and do not
log it
Rule #3: Any Source destined for your web server (y.y.y.b) on port 80 allow
it and do not log it
Rule #4: Any Source destined for any Destination drop it and log it

That config sets your network up in what is called, "A mostly closed
environment." Or, you've denied all traffic by default (rule #4) and *must*
have rules on the firewall telling it was *is* acceptable.

In this scenario no one can talk to your firewall for any reason. Your lan
servers, workstations, printers, etc will be able to talk to anything. And
finally, only INBOUND http traffic will be accepted for your web server.

In this design if your web server were compromised it wouldn't have
permissions to talk to *anything*! That's why you create a DMZ. Hosts
exposed to the internet for publicly accessible servers go there (SMTP
servers, FTP servers, HTTP servers, etc.)

Now, something we've done along with that is to use a basic IP numbering
scheme:

x.x.x.1-15: network gear (switches, routers, etc)
x.x.x.16-50: servers
x.x.x.51-99: printers and other network attached IP equipment
x.x.x.100-254: DHCP clients

That allows you to identify things in your logs quickly. Say you had a
machine trying to hack your servers and it was @ IP# x.x.x.75 ... well,
printers don't typically try to port scan your servers =)

A *simple* drawing of this network design can be seen as: Y One upper arm
of the Y is your LAN, the other is your DMZ with the Firewall at the
junction of the 2 arms and the base. The base represents your connection to
the internet. The firewall becomes a "choke point router," or the single
point all traffic must go through to talk to the others.

A more complicated (not really) design would be to separate off any dB
servers you have into yet another DMZ network. Why? Well, if your web
server needs access to data stored on a dB server but you don't want the
public to have access to the server itself then you could make a w.w.w.w
network to host those.

You'd add a rule between #3 and #4 above that would be something similar to:

y.y.y.b destined for w.w.w.b on port SQL (or whatever) allow it and do not
log it.

That would mean that your LAN equipment could talk to all boxes, your web
server can talk to your dB server on 1 specific port and nothing else. By
doing this you've made your network more secure because the dB server is
never exposed to public scrutiny and yet the data is still available to your
web server. If someone manages to compromise your web server using only
HTTP then they'd still only be able to talk SQL to your dB server ... very
nice, no?

Bill

p.s. sorry if this is jumbled up. typed as I thought (there's a little
insight for you <grin>)

-----Original Message-----
From: Carol Wood [mailto:cwood@sysplan.com]
Sent: Tuesday, January 15, 2002 5:24 PM
To: focus-ms@securityfocus.com
Subject: DMZ

This is somewhat in line with Andrew Langton's
email...
I run a mostly Microsoft NT 4.0 network with some
Linux servers. We have two locations connected by
a T1, 3 NT Domains. Simple little network. We do
host a few web sites as well.
However, we are going to be switching ISPs and I
want to redesign our network. Help me understand
the DMZ config.
I have a consultant that does not recommend a DMZ -
- he says it does not translate to added security. He
says that a firewall is all you need.
I also was interested in using non-routed IP
addresses and his response is that this will result in
too many machines required in the DMZ = less
security overall.
So IF YOU were going to redesign your network, what
would YOU do?

I appreciate any constructive feedback and
suggestions that you may have. Thanks in advance
for your help!!!

Carol P. Wood
Director of IT
System Planning Corporation



Relevant Pages

  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)
  • Re: need help re. office network install
    ... > and their network is a mess, the result of years of neglect. ... they have a gateway server w/ no special ... > firewall rules on it, they have a large DMZ that serves no purpose ... install anymore software on the firewall machine than is absolutely ...
    (comp.os.linux.networking)
  • Re: oops again
    ... open on the Firewall, and the default should be none. ... Since you intend to install IIS purely as a test server for your ASPX pages ... Make sure that IIS is only listening on the local network (192.168.x.y ...
    (microsoft.public.inetserver.iis)