Re: dmz question

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 04/17/05 

Date: Sat, 16 Apr 2005 17:45:35 -0500

In article <pan.2005.04.16.14.15.33.920618@home.nl>, John Smith wrote:

>a project leader is proposing to represent all our _internal_
>servers in our internal network on the outside of our internal firewall
>in our dmz each with an unique officially obtained _public_ ip-address.

Well, let's start out with www.ora.com - the two books this person needs
to at least scan are

  Building Internet Firewalls, 2nd Edition Jun 2000 US$49.95 i-56592-871-7
  890 pages Zwicky, Cooper and Chapman

  Practical Unix & Internet Security, 3rd Edition Feb 2003 US$54.95
  0-596-00323-4 984 pages Garfinkel, Spafford, and Schwartz

The later one is more helpful here, even if the project leader only uses
windoze. Next, the project leader has to justify to management why these
hosts have to be outside the firewall. In reality, if these are internal
servers, there has NEVER BEEN ANY REASON to locate internal systems in an
external location, EVEN IF IT'S IN A DMZ. If the idiot wants to do this
so that customers can access certain files, put those files in a proxy
server. If the customers are limited, have them access these files using
secure protocols ONLY. IF the files are to be accessed by the general public,
then the files should be served from a proxy server ONLY. Be sure to inform
the project leader that systems in the DMZ should NEVER be able to access
the internal net (all internal to DMZ access should be initiated from
designated internal hosts, and that access should be restricted by the
internal firewall), and access from the DMZ to the world should be limited
to serving files outbound ONLY.

Next, clueless leader needs to consult with a real live security guru. Your
headers say Debian, and .nl. While a bit dated see the Consultants-HOWTO
that is now found at

  http://tldp.org/guides.html
  http://ibiblio.org/pub/linux/docs/linux-doc-project/

and many other mirrors, as the 'Linux Consultants Guide'. It lists 51
reputable companies in the Netherlands, another 41 in Belgium, 3 in
Luxembourg, and 105 in Germany.

>The obtained subnet will not be routed over the internet. His main
>argument is that we are dealing on the other side of the dmz with a
>company that manages our office network that maintains it's own
>ip-address policy and that we must be able to switch to another office
>IT provider without changing ip-addresses.

Internal servers should NEVER be accessible from the world, and thus can
use RFC1918 addresses. RFC1918 has 18.94 million addresses in the equivalent
of 289 different /16 networks.

>Besides that it will be difficult to obtain /22 public ip-addresses (we're
>talking about +- 500 servers),

Getting 500 addresses (a /23 gives you 510 usable) isn't all that hard.
There are literally dozens of companies that would be falling all over
each other to provide that. The bigger problem would be investigating each
company and their proposed IP space to see that it's not blacklisted sixteen
ways to Sunday because of spam support. Also check rfc-ignorant.org to see
that they are not so incompetent as to have proper required role account
addresses (like 'postmaster@').

>my opinion is that you don't do this, just because it's against common
>practice, which, as an argument, does not make an impression, as you can
>imagine and that this will not be inherently safe (failing of the acl on
>the outside firewall exposes the internal network).

Sounds like someone has already made up their mind, and no amount of
blindingly OBVIOUS facts will be considered.

>What other arguments are there against this proposal?

See the books noted above.

>What solutions are there that with a minimum of public addresses in the dmz,
>you can make 100-ths of internal servers available?

The first question to be asked is why some idiot thinks that the internal
hosts have to serve the data to the world. The second question is why these
hosts have to be in the DMZ. Then, look into the concept of virtual servers.

        Old guy

Relevant Pages

  • Re: Near and far dmz (is this model secure)
    ... I think that your boss is right, the Exchange servers should be on the ... in a DMZ via VPN tunnel. ... connections from the DMZ to the internal network, ...
    (comp.security.firewalls)
  • DNS Best Practices
    ... We currently have a DMZ via one-arm routing. ... this DMZ and all are isolated from the internal network. ... best to create a Windows 2003 DNS server in our DMZ for the web servers. ...
    (microsoft.public.windows.server.general)
  • AD DNS stopping problem
    ... there is a DMZ for the external ... the internal network the DNS services on each DC has a record for the address ... of the servers in the DMZ with there IP addresses for the local network (not ... all processors and after something like 10 minutes the DNS service stops. ...
    (microsoft.public.win2000.dns)
  • Microsoft software update server (SUS)
    ... Where is a more secured place to have the SUS installed for the servers in ... Within DMZ or in the internal network? ... If SUS is placed in the internal network, what are the ports to be opened on ... the firewall to allow the traffic? ...
    (comp.security.misc)
  • Re: dmz question
    ... Thanks Moe. ... >>servers in our internal network on the outside of our internal firewall ...
    (comp.security.firewalls)
Loading