Re: Moving servers beind firewall

From: Mogens Valentin (monz@danbbs.dk)
Date: 02/12/02 

From: Mogens Valentin <monz@danbbs.dk>
Date: Tue, 12 Feb 2002 20:34:50 +0100

Michael Austin wrote:
>
> Mogens Valentin wrote:
> >
> > I need to move two servers from outside a firewall to a DMZ.
> > The setup:
> >
> > +-- DMZ 10.1.0.1
> > cisco --+-- firewall ----- internal segments 10.0.{10,11,12,13}.0
> > | 10.0.0.2
> > +-- webserver
> > | 10.0.0.3
> > | mailserver
> > +-- 10.0.0.4
> >
> > The 10.0.0.3 and .4 are nat'ed from the cisco router.
> >
> > My idea is to add eth0:1 (10.0.0.3) and eth0:2 (10.0.0.4) to the
> > firewall primary interface eth0.
> >
> > The webserver runs apache, webmin and proftpd, available from both the
> > internet and internal segments.
> > The mailserver runs sendmail, courier-imap and webmin, all available
> > from both the internet and internal segments.
> >
> > I'm not sure about ipchains rules for those virtual interfaces,
> > especially not for ftp access. Ideas?
>
> Why? Unless you "just want too", the firewall will still give you no
> protection. DMZ means that you have the same config just through a
> different connection. Leaving it just as you have it, serves the same
> purpose.
>
> That will just make your firewall do more work to pass <all packets> to
> your DMZ machines. Unless you are using different definition of DMZ.

Maybe my ascii-art is lacking clarity, or we misunderstand one another.
The DMZ has its own interface on the firewall, so rules can be defined
for specific hosts on the DMZ. But you'll probably agree with that...
Yes, the firewall will have to forward all packets aimed at some host on
the DMZ through that interface, and so what?

I can see your point for a very heavy loaded webserver or mailserver,
but that's not the case here (didn't write that in the first place).
I will still have the benefit of restricting which protocols emerge on
the DMZ, and I won't have to maintain complete separate firewalls on
each server; only some specific rules per server.

But basically you're right, I may as well keep those servers outside the
firewall and secure them seperately.

BTW, I do not believe firewall's are the be all and end all; I do a lot
of stuff within /proc, and observe other safety issues as well. 

-- 
Regards,
           Mr Dev - Mogens Valentin
    http://www.mrdev.com - mrdev@danbbs.dk
OpenSource Security - Networking - Programming

Søger 2-3 vær. lejlighed, helst fra 1. marts
Istandsættelse i noget omfang kan tilbydes

Relevant Pages

  • Re: Securing the DMZ and Trusted domain with a firewall
    ... you can setup firewall to have DMZ completely separate, ... > separated by a Cisco Pix 520 firewall. ... All servers in the DMZ and trusted are multi ... > WINS and DHCP in the trusted domain. ...
    (microsoft.public.security)
  • Re: AD requirements for DMZ?
    ... By standards it is a bad idea to have dc's in a dmz even if they are only used for external access. ... Consider creating a 2008 AD and firewall off the RWDC and provide the RODC's themselves unfettered access to the RWDC. ... In our internal lab environment, we have 3 servers setup as Windows NLB. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Basic Network Configuration
    ... Yes, mail servers, web servers, ftp etc are your DMZ buddies. ... firewall> dmz> firewall> lan layout but physically it does not. ...
    (Security-Basics)
  • Re: Svr-03 and DMZ
    ... If you use the back-to-back firewall model there is an additional firewall between the DMZ and the private LAN. ... The best candidates for a DMZ are servers which need to be accessed routinely from the Internet but only occasionally or never from the LAN. ...
    (microsoft.public.windows.server.networking)
  • Ang: RE: Firewall and DMZ topology
    ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)