Ang: RE: Firewall and DMZ topology

marcus_at_knivsta.se
Date: 06/11/03

  • Next message: sanjay.patel_at_rexwire.com: "RE: email security issue"
    To: Morgado Alain <amorgado@AeroKool.com>
    Date: Wed, 11 Jun 2003 17:28:58 +0200
    
    

    Small Office / Home Office

    --
    Marcus Weman (marcus@knivsta.se)
    Network Engineer
    Knivsta Kommun, GAS-Ek/IT
    Ängbyvägen 8, 741 75 Knivsta, SWEDEN
    Direct: +46 18 347103, Mobile: +46 708 216594
    Phone: +46 18 347000, Fax: +46 18 380712
    http://www.knivsta.se/
    Morgado Alain <amorgado@AeroKool.com> 
    2003-06-11 16:54
    Till
    security-basics@securityfocus.com
    Kopia
    Ärende
    RE: Firewall and DMZ topology
    What is a soho?
    -----Original Message-----
    From: Christopher Ingram [mailto:cmi@crystalsands.net] 
    Sent: Tuesday, June 10, 2003 3:01 PM
    To: security-basics@securityfocus.com
    Subject: Re: Firewall and DMZ topology
    First I apologize if someone already followed up with the same anwser 
    I'm about to give. I've getting a ton of Out Of Office, unknown user, 
    and account full messages since I first posted here and its made a mess 
    of things on this end.
    Also, when I say firewall, I mean Router + Firewall.
    The point of a DMZ is to isolate it as much as possible from the rest of 
    your network. Should whatever resides in it become compromised, the 
    attacker cannot spread his influence across the network. Also, simply 
    having the address of a public server of a company will make finding the 
    address of the other hosts very simple. This can be quite cost 
    prohibitive for smaller companies, but the larger a corporation is (in 
    terms of its network) the more they can benefit from the 2 uplink setup. 
    With all that said, the original question said SOHO, so I realize this 
    would never be a real solution.
    Keeping SOHO in mind, we can look at the rest of the options more 
    carefully. If the DMZ resides between the public Internet and the 
    internal network, compromising the DMZ will mean any traffic passing to 
    and from the local network to the Internet is sniffable. If this is not 
    an issue (No sensitive information at all will pass through here 
    including e-mails with corporate secrets, and online shopping and 
    banking (yes, even with SSL)) then that may work fine.
    Assuming that this isn't acceptable, the inline method (every box has 2 
    NICs chained together) can be ruled out.
    Should the DMZ be behind the LAN and not split off at the firewall, it 
    would have to be on the same NIC the LAN uses on the firewall. Splitting 
    that one port among several clients in the LAN and the DMZ would require 
    a switch or a hub, and that opens the door to sniffing as well. Only 
    this time, all traffic on the LAN can be sniffed, not just Internet <-> 
    LAN traffic.
    The three NIC method (Internet -> Firewall -> LAN, DMZ) is decent and 
    probably best situation if the implementing person/staff has the skill 
    and time to devote to it. No offense, but this didn't appear to be the 
    case. In the original question, this was ruled out due to costs. 
    Considering that the setup would only cost a few hundred dollars at 
    most, it seems that the person/staff responsible for this does not have 
    sufficient resources to properly implement and maintain this. This 3 NIC 
    firewall would require constant maintenance because, as it will most 
    likely run a full fledged OS, it is susceptible to attack, resulting in 
    the scenario I described in the beginning of this post.
    I recommended splitting the LAN and DMZ using a simple SOHO hardware 
    router because a decent one can be found on eBay for around $40. I know 
    because I bought one 2 weeks ago. Considering how difficult is is to 
    compromise one of those, it can serve the purpose of the 3 NIC firewall 
    for a much lower cost.
    On Monday, June 9, 2003, at 08:53  PM, Chris Berry wrote:
    >> From: Christopher Ingram <cmi@crystalsands.net>
    >> So, the below setup is not decent for a corporate LAN. Ideally, the 
    >> DMZ should sit on a seperate connection to the Internet from the rest 
    >> of the network, using a different ISP and therefore, different IP 
    >> block. This provides the most isolation.
    >
    > I'm afraid I don't see how that:
    >
    > internet --> Firewall --> Lan
    >
    > internet --> Firewall --> DMZ
    >
    > would be any more secure than this:
    >
    > internet --> Outer Firewall --> DMZ --> Inner Firewall --> LAN
    >
    > or this:
    >
    > internet -->  Firewall --> LAN
    >                             --> DMZ
    >
    > which are the setups that I've seen.  Can you give some 
    > justification/explanation on why you think that would be better?
    >
    > Chris Berry
    > compjma@hotmail.com
    > Systems Administrator
    > JM Associates
    >
    > "All I want is a few minutes alone with the source code for the 
    > universe and a quick recompile."
    >
    > _________________________________________________________________
    > STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
    > http://join.msn.com/?page=features/junkmail
    >
    >
    >
    ---------------------------------------------------------------------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top 
    > analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >     Find out why, and see how you can get plug-n-play secure remote 
    > access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >          Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >
    ----------------------------------------------------------------------------
    >
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
     
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
     
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
     
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
     
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: sanjay.patel_at_rexwire.com: "RE: email security issue"

    Relevant Pages

    • RE: Firewall and DMZ topology
      ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Firewall and DMZ topology
      ... attacker cannot spread his influence across the network. ... If the DMZ resides between the public Internet and the ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
      (comp.security.firewalls)
    • RE: Firewall and DMZ topology
      ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Firewall and DMZ topology
      ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ...
      (Security-Basics)