Internet, DMZ & the risks

From: Ferry van Steen (ferry.van.steen@InfoPart.nl)
Date: 07/10/02


From: Ferry van Steen <ferry.van.steen@InfoPart.nl>
To: Security-basics@securityfocus.com
Date: Wed, 10 Jul 2002 15:09:31 +0100

Hey there,

I got some security questions... I'll first try to make a drawing to clarify
things.

--------------
| Internet |
--------------
    |
    |
-------------- ------------
| WAP |------| DMZ |
-------------- ------------
    |
    |
--------------
| LAN |
--------------

NOTE!: The WAP is a Draytek Vigor2200Wplus which also has an ISDN connection
to the business, this is not in the drawing. The DMZ is on IP range
172.16.1.0/24 the LAN is on 192.168.1.0/24
The WAP automatically forwards all ports to the DMZ (with exception of the
port it uses for PPTP/VPN to setup the internet connection ofcourse).
Actually the DMZ is only one PC running FreeSCO.

The risk I need to know/understand is the possibility to get from the DMZ
into either the LAN or the ISDN connection the WAP makes towards the
business. In principle the DMZ does not know about the LAN (there is no
route to it in there).

I don't much about cracking these kind of things. What I do know is that you
could manually put a route in packets (I have never done that though...).
Would it be possible, from either the internet or DMZ, to get into the LAN
with what I believe is called source-routed packets (packets with a
predefined route by the users)? In theory this would come down to telling
the cracking client that the internet IP is the gateway for the LAN behind
it, but since this isn't possible (because you already have a gateway
towards the internet and/or on the internet to route packets on to the
internet and you can't put a route through a gateway that's already behind a
gateway) I believe you have to do that through source-routed packets.

The point is, we need to estimate the risk. The LAN isn't even the biggest
concern, the biggest one is the ISDN connection to the business. However,
once in the LAN you can send packets there since the WAP will automatically
dial out if you send packets to the IP segments the business is on. It
should thus also not be possible to go either straight from the internet
over the ISDN, nor from the DMZ. Once in the DMZ it could be possible to
crack the WAP, perhaps it can even be done from the internet (although the
only port that is open 1723).

Anyone familiar with these kind of setups and how secure they are and/or the
security of the Draytek Vigor2200Wplus itself ?

Any info you can give will be greatly appreciated. We are aware that we
should keep up with firmware updates, and it has the latest one at this
moment.

How secure can a DMZ be anyways? The DMZ things I know in all cases the LAN
goes out over the same connection as the DMZ, so there might always be a
hole right? Then again, I think you can never be totally secure, and the LAN
connected to the internet right away would be even worse.

Kind regards,

Ferry van Steen
InfoPart Automatisering B.V.
Beeksestraat 24
4841 GC Prinsenbeek
Phone: +31 (0)76 - 5 44 04 11
Fax: +31 (0)76 - 5 41 83 51
Mobile: +31 (0)6 - 28 46 47 45
E-Mail (business): ferry.van.steen@infopart.nl
E-Mail (private): freaky@bananateam.nl
MSN Messenger: freaky@freaky2000.dyndns.org
ICQ (UIN (seldom used)): 191458



Relevant Pages

  • Re: Moving Exchange Server
    ... Placing them in the LAN gives internal users 100% access with no firewall to ... DMZ, thus 0% risk/ports open between them. ... If Microsoft Exchange and/or Active Directory cannot run ... >> Internet is better? ...
    (microsoft.public.exchange.setup)
  • Whats wrong with this topology?
    ... I've inherited a small corporate WinNT4.0 lan that I am reconfiguring to ... The funny thing about the setup is that the servers residing in the dmz are ... even though routing between interfaces on the dmz machines is disabled, ... region system (hostile internet vs. not very secure internal lan) because ...
    (Security-Basics)
  • Re: 2 gateways
    ... ISA can ... The only thing I can think of is to put the DSL on the outer side of the DMZ ... Then install another proxy or NAT Device on the LAN side ... I want that user> access to the internet using ADSL. ...
    (microsoft.public.isa)
  • RE: AD across both DMZ & LAN
    ... We have an proxy server in our ... LAN who authenticates the users and an other one in the DMZ which just ... forwards the Requests to the Internet and scans the traffic for viruses. ... you can put this device in the DMZ and have ...
    (Security-Basics)
  • Re: How do I add a WAP to my office
    ... I want to know please where I should put the WAP. ... >Do I put it in the LAN or the DMZ. ... WAPs doesn't come with DHCP servers, so you may need to set up a ...
    (comp.security.firewalls)