RE: Whats wrong with this topology?

From: Diego Arimany (diegoa@hotmail.com)
Date: 02/20/02 

From: "Diego Arimany" <diegoa@hotmail.com>
To: admin@ecogchair.org
Date: Wed, 20 Feb 2002 15:16:50 +0000

Fred,

There is no problem with the topology if you wanted for a house with one
firewall and a few clients behind it. However, it's better to have the DMZ
exposed (with a plus if you have access to the router and can add a little
filtering capabilities, otherwise it will be fully-exposed). See the
picture attachement.

Your current topology has 3 ethernets from the looks of it. This
complicates all the filtering rules on your firewall... which translates to
some complex rules that will be mixed up and become ineffective as you only
have one LARGE set of rules for 3 devices (that's one too many). A security
problem that I see with your current layout is that your firewall will only
redirect trafic inside your LAN (not filter it -- leaving some packets
outside) because your web, ftp, and email servers on your DMZ (only assuming
that you have them) need this traffic or else why have them.

Better is to have the DMZ physically apart from your LAN (with the firewall
in between). It also simplifies filtering rules.

Any more questions (or more detailed explanation) you know where to ask.

Diego.

====================+====================
= Diego Arimany =
= diego(at)hotmail(dot)com =
+ +
+ -----Fifth Law of Applied Terror----- +
= If you are given an open-book exam, =
= you will forget your book. =
=========================================

----Original Message Follows----
From: Frederick Garbrecht [mailto:admin@ecogchair.org]
Sent: Saturday, February 16, 2002 10:13 AM
To: Security-Basics@Securityfocus. Com
Subject: Whats wrong with this topology?

I've inherited a small corporate WinNT4.0 lan that I am reconfiguring to
remove some of the obvious security flaws in its structure. I would like to
elicit any comments or suggestions regarding reconfiguring the
architecuture. On paper, the lan has been setup as a classical firewalled
lan with 3 zones: external, dmz, and internal.
              |T1
              |
            Router
              |
            Firewall________S_____vlan1[external]
              | |_________w
              |_____________i_____vlan2[dmz=mail,dns,http]
                            t |
                            c_____vlan3[internal]
                            h
The funny thing about the setup is that the servers residing in the dmz are
all dual-homed machines with 1 adapter set to use a dmz segment address
[192.168.1.0/24] and the other adapter uses an internal segment address
[192.168.2.0/24]. The dmz addresses are NAT'd at the firewall to public
address in our class C assignment. This arrangement strikes me as crazy;
even though routing between interfaces on the dmz machines is disabled, it
seems that it would be trivial to compromise the internal lan if an intruder
were to breach the dmz. Furthermore, some essential services (like
file/print, domain controllers) reside on the dmz/vlan3 boxes, which also
strikes me as major league stupidity for essentially the same reason.
Essentially to me it seems that the actual architecuture functions only as a
2 region system (hostile internet vs. not very secure internal lan) because
of the fuzziness resulting from misconfiguration of the dmz. Basically,
since I'm not an expert on this stuff (yet), I would like some confirmation
of my feeling that this setup is basically very insecure so that I can
garner up the requisite courage to fight with the consultants who set it up
this way in the first place and the management who hired them. I have a
pretty good idea of how to correct things, such as making the dual homed dmz
machines single homed and moving all of the 'private' services like the
domain controllers, file storage, etc. to machines strictly located within
the internal vlan. Happy to provide additional details, clarifications;
Comments welcome!

Thanks,
Fred

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Relevant Pages

  • Re: VPN-Server hinter DrayTek Vigor 2910 (Firewallproblem)
    ... Router DrayTek Vigor 2910 mit integrierter Firewall. ... sondern erst einmal nur die DMZ. ... aus dem Internet eine VPN-Verbindung zum internen LAN aufbauen können. ...
    (de.comp.security.firewall)
  • Re: Proxy and firewall
    ... DMZ, and one for your internal LAN. ... going to DMZ, LAN, or Internet accross the firewall. ...
    (comp.security.firewalls)
  • RE: Firewall / Internet Gateway Config Fails
    ... in the address of it's internet address so it can be routed on the net. ... Firewall / Internet Gateway Config Fails ... configured correctly shouldn't the lan clients be able ...
    (RedHat)
  • Re: Moving Exchange Server
    ... Placing them in the LAN gives internal users 100% access with no firewall to ... DMZ, thus 0% risk/ports open between them. ... If Microsoft Exchange and/or Active Directory cannot run ... >> Internet is better? ...
    (microsoft.public.exchange.setup)
  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)