Re: DMZ - Network topology

From: x y, mvp (levinson_k@despammed.com)
Date: 02/21/03 

From: "x y, mvp" <levinson_k@despammed.com>
Date: Fri, 21 Feb 2003 08:16:19 -0500

"Adie" <a_usenetizen@hotmail.com> wrote in message
news:4hlb5v83u1ni003sf6q2ur7jn0ugvsujk5@4ax.com...

> programming, but not much at all in administration. I was thinking of this
> kind of topology, but ive sort of just pulled it out the hat without too
> much research.
>
> [ADSL NAT Router Switch]
> | |
> [web server][firewall]
> |
> [16 port switch]
> |
> [ ethernet ]
>
> I was then planning on making rules in the firewall limiting how the web
> server could talk to the database server on the LAN.
>
> Does the above setup offer anything other than superfluous protection?
>
> The imperative security issue is the LAN, the web server can be trashed
> for all I care, it isn't running mission critical apps, more of an added
> service to employees out in the field, a 24 downtime period wouldn't hurt,
> but a break in to the LAN would.

I personally think it is a big mistake to put any computer on the internet
without a firewall, especially a Windows computer or a web server,
especially without hardening it. It can theoretically be hardened enough to
withstand most attacks, but only with a bit of pain and if you already know
what you're doing. I think it is a mistake to think that there's nothing of
value on the web server... one of the most common hacks is to take advantage
of the default settings in IIS FTP or WWW to install FTP services and put
many gigabytes of files onto your server. Then your internet connection
speed goes way down and your server runs out of disk space and you can't
delete the folder containing all that stuff, and Microsoft starts
investigating you for possible prosecution. Sure, you might be able to
format and reinstall the computer in 24 hours or less, but you'll put the
computer back on the internet and get hacked again in a few hours, or days,
which means more work on your part. Or someone installs a sniffer and
captures your passwords and credit card numbers as they pass out your
firewall. Or a worm like Code Red infects your computer because of a
missing patch or a default setting that wasn't fixed, and that brings down
your internet connection and gets your intenret account cancelled. Or you
made your administrator password the same as the administrator password on
your firewall, and someone discovers one password and uses it to reconfigure
or bypass your firewall. Or one day you plug your web server into your
internal network to work on it and some malware on it compromises other
computers behind your firewall. If you don't ask me, search these Microsoft
security newsgroups for the posts saying, "I didn't secure it because it was
only a test server with no live data, but now I've got a big problem..."

Having said that, you could probably configure the NAT router to offer
enough firewall-like security for your web server. NAT is pretty effective
at blocking everything incoming but the ports you allow. By itself it
doesn't do much to block outbound communications, and logging and alerting
is usually not good or nonexistant or requires free third party syslog
software like www.wallwatcher.com or www.kiwisyslog.com to capture and
inspect the logs on a computer.

No matter where you put your web server, here are some things I'd consider
doing to the server and all the computers on your network to improve
security:

http://securityadmin.info/faq.htm#harden

The O'Reilly book [2nd edition] is pretty good. To draw the DMZ setups I
mentioned:

internet -- NAT router and/or firewall -- switch or hub -- firewall -- your
network
                                                                       |
                                                     dmz with web server

OR:

internet -- NAT router and/or firewall -- firewall with 3 NICs -- your
network
                                                                     |
                                                     dmz with web server

Relevant Pages

  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: Firewall on a single NIC SBS2003 Standard edition
    ... Frank McCallister SBS MVP ... > " Well, if you're wanting to run the firewall on a single NIC, you aren't ... Don't ask the server to do *everything*, ... > internet traffic from the workstations don't have to go through the SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet on nodes
    ... I stopped the Firewall in SBS and could upload ... print' from both the server and a WS. ... Was not able to connect to the internet on the WS. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... the server as Paul envisaged it. ... gateway (to the Internet through the NIC connected to the Sonicwall DMZ ... NICs should not have default gateways configured for both. ... DMZ ports of any firewall, is an alternative path that cause great ...
    (microsoft.public.windows.server.networking)
  • Re: Collection of email
    ... server 2003), and FTP support, and a few other things as well. ... I think you are using ISA as your firewall. ... I don't think you have that option, though is your internet connection ...
    (microsoft.public.inetserver.iis.smtp_nntp)