RE: PART II : Webserver, DMZ, ports questions
From: Pybus, David (DPybus_at_colt-telecom.com)Date: 07/18/01
- Vorherige Nachricht: McCammon, Keith: "RE: PART II : Webserver, DMZ, ports questions"
- Vielleicht als Antwort auf: Bartel, Matt: "PART II : Webserver, DMZ, ports questions"
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
If you need as secure an environment as it sounds then it would probably be
worth considering geting an IT Security Consultant in for a few days.
Shouldn't cost too much in the granger scale of things and they can advise
more specifically. It also means you've got someone to blame if goes wrong -
not that I would recommend that as an appropriate solution to a security
issue.
The old multi-vendor firewall thing is an often recommended protector but
there are a couple of things to remember if you do this. Your support guys
need to be able to use the different firewalls well - more training, more
practice, more experience - (more salary?). Normally when people come
through a firewall they do it by coming through ports that the firewall
allows not by breaking the firewall - cracking a firewall is usually pretty
damn difficult.
I would recommend a structure like this:
I<->Switch<->Firewall1<->Webserver<->Firewall2<->Intranet
/\
||
\/
Database
This means that firewall two is triple homed - no big deal for a decent
firewall. If you go for the route you proposed in your email then how do you
plan on putting content onto the webserver from the Intranet. The only
solution would be to tunnel through the database server, which you don't
want to do because it reduces the databases security and means opening extra
ports through the firewall.
A more cost effective solution would be:
Webserver
/\
||
\/
I<->Switch<->Firewall<->Intranet
/\
||
\/
Database
This places all of your eggs in one basket and if someone does crack your
firewall you are in trouble. You could always try the multi vendor thing
here of course:
Webserver
/\
||
\/
I<->Switch<->FW-Vendor1<->FW-Vendor2<->Intranet
/\
||
\/
Database
Regards,
David Pybus
-----Original Message-----
From: Bartel, Matt [mailto:Matt.Bartel_at_qg.com]
Sent: 18 July 2001 15:42
To: 'sec_at_ayahuasca.net'; 'davesel_at_idzero.co.uk';
'DPybus_at_colt-telecom.com'; 'mhoz_at_gama.fime.uanl.mx';
'keydet89_at_yahoo.com'; 'ethalis_at_yahoo.com';
'rtsolakidis_at_powerserve.com.au'; 'Shane.Field_at_anu.edu.au';
'agoins_at_arces.net'; 'Keith.McCammon_at_eadvancemed.com';
'focus-ms_at_securityfocus.com'; 'incidents_at_securityfocus.org';
'security-basics_at_securityfocus.com'
Subject: PART II : Webserver, DMZ, ports questions
I've had many replies to my questions, all of which I sincerely appreciate.
Unfortunately, several of them do not encourage the same logic. So, it
would be helpful for me if I can rephrase my inquiry:
I need to be able to run webservers which talk to database servers. From
what I understand, I only need to open port 80 inbound on the border
firewall since I am using a stateful firewall that should "automatically"
open source ports to talk back outbound. Here is my first question: If this
does not work (even though I realize it should), which ports should I open
outbound on the border firewall? (I am running IIS 5 over Win2K...do I need
to find out what source ports IIS opens/needs open to talk outbound?)
The majority of the recommendations I received instructed me to use three
firewalls in the following fashion:
Internet<->Border FW<->Webserver DMZ<->Second FW<->Database Server
DMZ<->Third FW<->Internal Network
My second (and final) question is this: If I decide to go with the topology
in the manner descibed directly above, how would I physically cable this? I
know this sounds goofy, but for example, how do I physically cable the
Second FW to the Webserver DMZ? Do I do the following?:
___ __________ _______ ___________________________
________ ________ ___________________
| I |<->|Border FW|<->|Switch|<->|Webservers in Webserver DMZ |<->|2nd FW
|<->| Switch |<->|DB Servers in DB DMZ|
----- -------------- ---------
------------------------------------- ------------ -----------
--------------------------
Which would mean every webserver in the Webserver DMZ would need to be
dual-NIC'ed? Then, I would need to write ACLs on the Second FW which would
be very tight going both ways from the webservers *only* to the db servers
in the DB DMZ??? A couple of replies instructed to use two different vendor
firewalls for each of these, since if they penetrate the first, they will
surely be able to penetrate the second. I believe the logic is that this
will make them need to hack the second firewall if they want to get to the
data in the db's...is this correct? Is this the *best* (most secure, most
efficient) way of doing what I need to do?
Thank you all for your help!
-Matt
> I have two questions that I feel rather dumb about
> asking:
>
> If I am running a setup as follows:
> Internet<->Firewall<->DMZ<->Firewall<->Internal
> Network
>
> and I am running webservers in the DMZ that need to
> pull info out of
> databases (that hold confidential information),
> where is the best place to
> put the db's??? If I put them in the internal
> network, I would have to make
> a rule to allow the webservers to access the db's
> through the FW (which
> defeats the point of the FW)...if I do not allow the
> webservers to go
> through the FW, then they cannot access the db's,
> unless I would put them in
> the DMZ...What is the safest way to do this? What
> would basic, sample rules
> look like that would be optimal in this type of a
> setup be?
>
> Also, one other really dumb question, while I'm on a
> roll:
> I know that I should *only* allow port 80 into the
> DMZ, but do you allow
> *ALL* ports to go out??? Doesn't the webserver use
> all different local
> ports to talk out onto the Internet? If I wanted to
> do the following
> (assuming there is no internal network):
> Internet<->Firewall<->Webserver
>
> Can I allow *only* port 80 to run through the FW to
> the Internet (both
> ways)? I am using IIS 5, and I am under the belief
> that IIS opens ports
> (source ports???) on the local machine to talk out
> to the world...If I only
> allowed 80 to go out, wouldn't that effectively
> block the webserver from
> talking onto the net, since it picks high ports
> (like 5000, or whatever)?
>
> Thank you.
> -Matt
**********************************************************************
COLT Telecommunications
Registered in England No. 2452736
Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
Tel. 020 7390 3900
This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message. Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.
**********************************************************************
- Vorherige Nachricht: McCammon, Keith: "RE: PART II : Webserver, DMZ, ports questions"
- Vielleicht als Antwort auf: Bartel, Matt: "PART II : Webserver, DMZ, ports questions"
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
Relevant Pages
|
