• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

What is a DMZ and how do I build one?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2, 3, 4  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
sigsegv
Just Arrived
Just Arrived


Joined: 15 Oct 2003
Posts: 1


Offline

PostPosted: Mon Aug 30, 2004 5:15 pm    Post subject: Reply with quote

Just wanted to extend my sincerest thanks to you for posting this extremely useful article. I'll really appreciate your info sharing attitude.
--sigsegv.
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Tue Aug 31, 2004 5:51 pm    Post subject: Re: What to do in details Reply with quote

yaoweihung wrote:
1. Which Firewall product is more powerful, Check Point NG or Cisco PIX 506? I would like to know which Firewall I should setup as internal Firewall.

2. If I want to setup a VPN for remote management purpose, where this VPN server should goes and how to setup these two Firewall?

3. From your demonstration, you have both DMZ and internal Firewall connected to the e same hub/switch. Would it be better if I have dual NICs in all servers located inside DMZ? By doing this, I have my external Firewall connected to one subnet address (say, 192.168.1.xxx) and my internal Firewall connected to another subnet address (say, 192.168.2.xxx).

I prefer Check Point, for your first question; I don't have a lot of exprience with PIX though, so I can't say it's bad. All I know is that the logging and therefore troubleshooting options on Check Point are far superior, in my opinion. As for features, I think Check Point wins there as well. All in all I think it's the better of the two, but I work with it every day and know not nearly as much about the PIX - so take that into account.

I'd suggest the simple solution of having your Internet-facing firewall be your VPN endpoint. I'd say that Check Point does this better as well, but staggering two vendors is better for security since getting past one doesn't easily lend to getting past the second. It's up to you which way you want to go with that.

As for your third question, I don't think having servers residing in both your protected and unprotected networks at the same time is a good idea. In general, if it's offered to the public directly it should go in the DMZ, and if it's a database server or internal mail server, it should either go in its own separate network off either another firewall or a port on the internal one, or it should go in your internal network. That decision is going to be based on the costs involved and how well you trust your internal users.

Hope this helps.
Back to top
View user's profile Send private message
sigsegv
Just Arrived
Just Arrived


Joined: 15 Oct 2003
Posts: 1


Offline

PostPosted: Wed Sep 01, 2004 5:09 pm    Post subject: design of an e-commerce n/w setup. Reply with quote

Hi Daniel,
I've a small question after reading your excellent article on building a DMZ. Please excuse me if this is too basic.
According to your configuration, all machines in the DMZ will not be allowed to make connections to the internal n/w by the inside f/w.
Consider the case of an e-commerce site that has a login page and where all credentials about the member, credit card numbers are stored in a database that is stored on the internal n/w. (I assume it should not be in the DMZ for obvious security reasons). Now one will have to allow connections from the app. server on the DMZ to the database server to fetch the credentials. In this case compromising the web server on the DMZ would prove to be disastrous. How does one go about preventing this? What should be an ideal n/w configuration when designing setting up and e-commerce setup? Thanks a zillion for your answers. --sigsegv.
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Wed Sep 01, 2004 7:49 pm    Post subject: Reply with quote

For an eCommerce setup, you want to have a separate network for your app and database servers, and a pinhole for ODBC/JDBC and or other application traffic will be poked in the firewall protecting that segment to allow for that connectivity (from the DMZ to that network). This should be a separate network from the internal LAN where corporate users reside, and ONLY the front ends for these backend systems should be allowed to communicate with them. Also, using IPSEC for this traffic is a decent and often-used solution.
Back to top
View user's profile Send private message
kantan
Just Arrived
Just Arrived


Joined: 27 Oct 2004
Posts: 0
Location: London

Offline

PostPosted: Wed Oct 27, 2004 8:58 am    Post subject: Reply with quote

What difference does it make if i directly connect my external firewall to the internal firewall rather than bypassing it via the DMZ hub / Switch.

rgds / Karthik
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Wed Oct 27, 2004 9:03 am    Post subject: Reply with quote

kantan wrote:
What difference does it make if i directly connect my external firewall to the internal firewall rather than bypassing it via the DMZ hub / Switch.
Well, the purpose of a DMZ is to put machines in it. If you are just stacking firewalls that's giving you a potential for increased security but it's not speaking to the concept of a DMZ.
Back to top
View user's profile Send private message
kantan
Just Arrived
Just Arrived


Joined: 27 Oct 2004
Posts: 0
Location: London

Offline

PostPosted: Thu Oct 28, 2004 12:38 pm    Post subject: Reply with quote

I think u'hv got my question wrong. The DMZ hub/switch exists and the respective servers that need to go in the DMZ are connected to the DMZ hub/switch. My concern now is... what happens if i connect the external firewall directly to the internal firewall rather than connecting it via the DMZ hub/switch. Does that compramise the security in anyway?

rgds / Kantan[/code]
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Fri Oct 29, 2004 6:32 pm    Post subject: Reply with quote

kantan wrote:
I think u'hv got my question wrong. The DMZ hub/switch exists and the respective servers that need to go in the DMZ are connected to the DMZ hub/switch. My concern now is... what happens if i connect the external firewall directly to the internal firewall rather than connecting it via the DMZ hub/switch. Does that compramise the security in anyway?[/code]

What you are describing is a network completely separate from your internal or external firewalls. It's not a DMZ if it doesn't lie between a less-trusted and more-trusted network. Think of calling Japan a DMZ between North and South Korea. It can't be because it's not between the two.

In short, if you plug the internal to the external directly, you have nothing in between, and therefore no potential for a DMZ.
Back to top
View user's profile Send private message
kantan
Just Arrived
Just Arrived


Joined: 27 Oct 2004
Posts: 0
Location: London

Offline

PostPosted: Tue Nov 02, 2004 8:16 am    Post subject: Reply with quote

I think that's answered my question mate. Thank you so very much for your help

Rgds / Kantan
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Colonel_Panic
Just Arrived
Just Arrived


Joined: 13 May 2004
Posts: 2


Offline

PostPosted: Tue Nov 16, 2004 4:04 pm    Post subject: Reply with quote

Very good article. Thanks.

I have a situation at work that worries me somewhat, but I appear to be the only one...
I'm running two servers that need to be accessible both from internal network and from internet. They are placed on DMZ, which is supposedly well configured.
Well, anyway what troubles me is that all data for these systems is stored on these same servers, kind of like the e-commerce situation mentioned earlier.
This data is not absolutely critical but there is some (non-financial) personal data and other stuff that should not be seen/altered by wrong people. I personally would prefer having databases inside secure network and access them with IPsec (as suggested in this thread) but the general policy seems to be to dump external, non-critical services outside (to DMZ) and let them be somebody elses problem (my problem in case of these two).

So, should I go and complain to someone or just accept the situation, trust the outer defences, do my best to secure the servers and pray?
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Tue Nov 16, 2004 4:13 pm    Post subject: Reply with quote

As a general rule, you shouldn't ever put any database in the DMZ. What you should try for is keeping your front end in there (assuming you can't build seperate networks for your front end, app servers, and databases) and then poke an IPSEC secured pinhole back into your private network for your odbc/jdbc connectivity.

Regards,
Back to top
View user's profile Send private message
Colonel_Panic
Just Arrived
Just Arrived


Joined: 13 May 2004
Posts: 2


Offline

PostPosted: Thu Nov 18, 2004 4:18 pm    Post subject: Reply with quote

I agree. But the upper level admins don't want to poke any extra holes in the firewalls and lack of spare servers is even bigger problem. It seems the systems I'm running are not considered very important Rolling Eyes

By the way, IF I could remove databases from DMZ, how could I solve this problem:

Users need to use INSERT, SELECT, UPDATE and even DELETE (in other words, php script access needs these priviledges). If it happened that the webserver got rooted, what would it help if the db was inside secure network? Whoever has the root can change my php and mess with the data. So, is there even theoretical possibility to secure the data agains someone who manages to hack the webserver?
Back to top
View user's profile Send private message
neewt
Just Arrived
Just Arrived


Joined: 14 May 2004
Posts: 2
Location: Sweden

Offline

PostPosted: Fri Nov 19, 2004 2:04 am    Post subject: Reply with quote

Colonel_Panic wrote:

Users need to use INSERT, SELECT, UPDATE and even DELETE (in other words, php script access needs these priviledges). If it happened that the webserver got rooted, what would it help if the db was inside secure network? Whoever has the root can change my php and mess with the data. So, is there even theoretical possibility to secure the data agains someone who manages to hack the webserver?


There has to be some sort of proxy that can do content filtering and therefor just allow valid traffic from DMZ to internal lan. In this case, certain SQL-commands. Anyone know of such an implementation?

Another thing. Say one would like to give access to, say consultants and other third-party staff, to the internal network. They have to have access to machines located inside the internal "protected" network, because it needs the entire enviroment that surrounds it (like databases, shares etc), and therefor cannot be putted in dmz. How would one implement such a solution..?
Back to top
View user's profile Send private message Send e-mail Visit poster's website
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Fri Nov 19, 2004 12:01 pm    Post subject: Reply with quote

Ideally, one would have a three tiered architecture for their web/app/db environment, and each would reside in their own network. Apache, Websphere, and Oracle, for example.

This could come in the form of three firewalls, but it's usually implemented with the multiple-NIC method. What this allows for is not only the isolation of the world from the database, but of the webserver from the database. So rather than have say IIS and Tomcat on one box talking to the database, you'll have Apache in the DMZ --> talking to Websphere in the app network --> talking to Oracle in the db network.

This offers additional protection vs. the direct attacks on the database from the webserver that resides in the DMZ, and I know of many top 10 companies that do just this. The coolest one does the entire thing in VMWare - Check Point boxes, servers, and all. Wink

In the basic example of webserver talking to database on the private network, you get some benefit, but not as much. As mentioned, the webserver still can speak to the database which still equates to bad news in the event of a webserver compromise. This, however, is still superior to the database sitting in the DMZ where any number of other attacks could possibly be leveled at it. Using IPSEC to communicate to said database just makes it difficult for an attacker with access to the network (but not your webserver) to glean anything from the communication.

It's about layers really, and seperating the webserver and database with a firewall is just one step. Beyond that you can seperate the app server from the webserver and put them all in seperate networks, use IPSEC to limit what holes need to be poked in the firewalls, etc. It just depends what your resources are.
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Fri Nov 19, 2004 12:14 pm    Post subject: Reply with quote

[quote="neewt"]
Colonel_Panic wrote:
Another thing. Say one would like to give access to, say consultants and other third-party staff, to the internal network. They have to have access to machines located inside the internal "protected" network, because it needs the entire enviroment that surrounds it (like databases, shares etc), and therefor cannot be putted in dmz. How would one implement such a solution..?
You'd determine exactly what needed to be accessed by them and find a way to host it seperately from your main assets. Then, you'd implement a strong, multi-factor authentication system for the VPN they use to get into that seperate network. So, you can only access a,b, or c if you are in group y.

Most high-security areas that I have seen and heard about have simple rules about vendors and contractors and free reign over the network -- it doesn't happen. Those users are either given extremely limited access to the real system, or they aren't given any access to the real thing at all.

If you are in a situation where you are being asked to give people full access to the critical data on your network (and you've already voiced your concerns), I'd take a strong look at how your data is protected in terms of access control. Is it all or nothing? Is it everyone read/write? NTFS? FAT? Are they Unix boxes? Figure out how control can be properly compartmentalized in an RBAC fashion, and look at doing as much of that as possible before allowing access. Then implement your VPN solution (using strong authentication) to ensure that each user is seeing exactly what (and only what) they should be.
Back to top
View user's profile Send private message
neewt
Just Arrived
Just Arrived


Joined: 14 May 2004
Posts: 2
Location: Sweden

Offline

PostPosted: Fri Nov 19, 2004 12:26 pm    Post subject: Reply with quote

danielrm26 wrote:
Ideally, one would have a three tiered architecture for their web/app/db environment, and each would reside in their own network. Apache, Websphere, and Oracle, for example.


This sounds like a good idea if the purpose is running, say the above mentioned E-comerce-thingy. If I take my problem (the need for external access to corporate computers on the private lan) and compares that with your three-tiered example, I would say the internal lan would be putted at the back, on its own segment. However, I you then want to give access to computers in this segment (thats equal to physical access, say citrix). This computer also needs to be able to access the database (in your example oracle). Isn't this a huge problem? It'll be like bypassing all layers of defense..

danielrm26 wrote:

This offers additional protection vs. the direct attacks on the database from the webserver that resides in the DMZ, and I know of many top 10 companies that do just this. The coolest one does the entire thing in VMWare - Check Point boxes, servers, and all. Wink


This sounds kinda neat, can you please describe the set-up a little further?

Thanks
Cheers Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register