Whats wrong with this topology?

From: Frederick Garbrecht (admin@ecogchair.org)
Date: 02/16/02 

From: "Frederick Garbrecht" <admin@ecogchair.org>
To: "Security-Basics@Securityfocus. Com" <security-basics@securityfocus.com>
Date: Sat, 16 Feb 2002 12:12:45 -0500

I've inherited a small corporate WinNT4.0 lan that I am reconfiguring to
remove some of the obvious security flaws in its structure. I would like to
elicit any comments or suggestions regarding reconfiguring the
architecuture. On paper, the lan has been setup as a classical firewalled
lan with 3 zones: external, dmz, and internal.
             |T1
             |
           Router
             |
           Firewall________S_____vlan1[external]
             | |_________w
             |_____________i_____vlan2[dmz=mail,dns,http]
                           t |
                           c_____vlan3[internal]
                           h
The funny thing about the setup is that the servers residing in the dmz are
all dual-homed machines with 1 adapter set to use a dmz segment address
[192.168.1.0/24] and the other adapter uses an internal segment address
[192.168.2.0/24]. The dmz addresses are NAT'd at the firewall to public
address in our class C assignment. This arrangement strikes me as crazy;
even though routing between interfaces on the dmz machines is disabled, it
seems that it would be trivial to compromise the internal lan if an intruder
were to breach the dmz. Furthermore, some essential services (like
file/print, domain controllers) reside on the dmz/vlan3 boxes, which also
strikes me as major league stupidity for essentially the same reason.
Essentially to me it seems that the actual architecuture functions only as a
2 region system (hostile internet vs. not very secure internal lan) because
of the fuzziness resulting from misconfiguration of the dmz. Basically,
since I'm not an expert on this stuff (yet), I would like some confirmation
of my feeling that this setup is basically very insecure so that I can
garner up the requisite courage to fight with the consultants who set it up
this way in the first place and the management who hired them. I have a
pretty good idea of how to correct things, such as making the dual homed dmz
machines single homed and moving all of the 'private' services like the
domain controllers, file storage, etc. to machines strictly located within
the internal vlan. Happy to provide additional details, clarifications;
Comments welcome!
Thanks,
Fred

Relevant Pages

  • Re: Moving Exchange Server
    ... Placing them in the LAN gives internal users 100% access with no firewall to ... DMZ, thus 0% risk/ports open between them. ... If Microsoft Exchange and/or Active Directory cannot run ... >> Internet is better? ...
    (microsoft.public.exchange.setup)
  • RE: AD across both DMZ & LAN
    ... We have an proxy server in our ... LAN who authenticates the users and an other one in the DMZ which just ... forwards the Requests to the Internet and scans the traffic for viruses. ... you can put this device in the DMZ and have ...
    (Security-Basics)
  • Re: 2 gateways
    ... ISA can ... The only thing I can think of is to put the DSL on the outer side of the DMZ ... Then install another proxy or NAT Device on the LAN side ... I want that user> access to the internet using ADSL. ...
    (microsoft.public.isa)
  • Re: Webhosting Network Question
    ... have a DMZ, since you're bypassing it. ... would you want the machines to have NICs on the internal LAN? ... >> AS) to host a website for internet clients. ...
    (microsoft.public.inetserver.iis.security)
  • Re: iptables for linux router/firewall on home lan
    ... >home lan that accesses the internet via pppoe with dynamic ip. ... 15 and 16 depend on how safe you consider your internal machines. ... interface and destination port. ...
    (comp.os.linux.networking)