• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

What is a DMZ and how do I build one?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2, 3, 4  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Colonel_Panic
Just Arrived
Just Arrived


Joined: 13 May 2004
Posts: 2


Offline

PostPosted: Fri Nov 19, 2004 4:11 pm    Post subject: Reply with quote

neewt wrote:


There has to be some sort of proxy that can do content filtering and therefor just allow valid traffic from DMZ to internal lan. In this case, certain SQL-commands. Anyone know of such an implementation?


Database and individual tables can be set to accept only certain commands, for example it is possible to set a rule that user connecting through TCP/IP socket can only use SELECT (create a user that is the only user that can connect remotely and give that user access to certain tables and certain commands only), but like I said I have to allow pretty much all commands...
Useless setting of course if db is on the same machine and somebody roots it.

In any case, the situation is that people in charge of internal network don't want to have ANY connection from DMZ and they don't want to give away additional server either Sad

I'll memorize this information for future. Maybe one day I get a change to implement something like this.
Back to top
View user's profile Send private message
gsnatesh
Just Arrived
Just Arrived


Joined: 31 Jan 2005
Posts: 0


Offline

PostPosted: Mon Jan 31, 2005 7:58 pm    Post subject: DMZ to intranet Reply with quote

Hi danielrm26,

I really appreciate your time and effort in writing this article. I'd like to setup a similar 2 firewall network. From what information I have learnt and gathered, I have made up my mind to setup the following as shown in the image http://www.avantec.ch/pix/dmz.gif

My understanding is, the web server in the DMZ will be in a seperate subnet with a default gateway of the ip address of the external firewall's internal NIC and the DNS server ip addresses are that of the ISP.

Question: How would a server on the DMZ communicate with the intranet assuming the DMZ and Intanet have different subnets?? Also the server(s) in DMZ have a default gateway of the ip address of the external firewall's internal NIC and the DNS server ip addresses are that of ISP.

I'm not sure if my assumption is correct. If not, please guide me how the data traffic would flow from DMZ to the intranet.

Thank you in advance.
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Mon Jan 31, 2005 8:08 pm    Post subject: Re: DMZ to intranet Reply with quote

gsnatesh wrote:
Question: How would a server on the DMZ communicate with the intranet assuming the DMZ and Intanet have different subnets??
Communication from within the LAN is often allowed to the DMZ, but the concept of the DMZ is for traffic originating from it not to be allowed into the more trusted networks, i.e. your LAN.

Remember though, if you are on the inside LAN, and you want to speak to a DMZ server, you can have a rule on the internal firewall that allows this. You don't need a separate rule allowing the return traffic back into the LAN; that's already taken care of.

Does this help, or did I miss the question?
Back to top
View user's profile Send private message
gsnatesh
Just Arrived
Just Arrived


Joined: 31 Jan 2005
Posts: 0


Offline

PostPosted: Mon Jan 31, 2005 8:31 pm    Post subject: Reply with quote

Thank you for your reply. I understand what you are saying. My question though could be better explained thsi way.

Lets say I have a web server in the DMZ. To give access to an interet user I'd allow port 80 to the web server in my extranal firewall. If the website application has to request some data from the database server (located in my LAN), then I'd have to allow a port in my internal firewall to access the db server. I'd be better off setting this communication using IPSEC as you mentioned earlier.


The web server has a different subnet from my LAN. The web server's NIC has a unique IP in the DMZ zone and a default gateway of the ip address of outer firewall's internal NIC. Also the DNS server ip address would be configured in the web server to have the ISP's DNS server.

If the web server has to resolve an IP or a name (ip/name of my db server which is in a diff subnet), won't the web server ask the default gateway(outer firewall's internal NIC) to resolve this - which would have no idea of what this address would be and would forward this request to the ISP's DNS server ?

How do I configure the webserver's NIC so that it could resolve a server name which is located in my internal lan??
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Mon Jan 31, 2005 11:31 pm    Post subject: Reply with quote

Unless there is just a whole lot of hosts, I'd probably just use a hosts file. Is that not an option?
Back to top
View user's profile Send private message
UnaBomber
Just Arrived
Just Arrived


Joined: 03 Jan 2004
Posts: 0
Location: Amsteram, Netherlands

Offline

PostPosted: Tue Feb 01, 2005 12:30 am    Post subject: Reply with quote

danielrm26 wrote:
Aflack wrote:
Would it be to much trouble if you point me to our draw out this layout of the DMZ security settings. It would be a lot easier if I could picture what was being mentioned above.

This is a "sandwich" DMZ -- the one that I prefer, and the one that offers more security than the "multi-NIC" approach.



Why would you use a hub here? A more secure method surely would be using a content switch, so you can put different services in different areas and create a more defined ACL structure... IE only allow DNS traffic to your DNS servers isolated within 1 subnet, only allow FTP to your FTP server subnet....

Anyway your diagram is good, this is a typical NOC setup, similar to the one we have!

edit: ahhh I see this thread isnt geared towards enterprise situations Confused
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Tue Feb 01, 2005 6:08 am    Post subject: Reply with quote

Not only that, but switch security isn't all that strong anyway. They can often be poisoned into becoming hubs relatively easily, and since having a hub allows me to deploy an IDS easier, i.e. without an expensive switch that has a mirror port, I prefer to go with a hub at home.
Back to top
View user's profile Send private message
UnaBomber
Just Arrived
Just Arrived


Joined: 03 Jan 2004
Posts: 0
Location: Amsteram, Netherlands

Offline

PostPosted: Wed Feb 02, 2005 4:14 pm    Post subject: Reply with quote

A content switch is a layer 3 and above switch, it is a router with using a fast switching process... I fail to understand how this can be posioned to become a Hub?

Cisco Switches are very difficult to flood, (I presume your are talking about mac flooding and arp poisioning) once you have deployed CIS (Cisco intergrated security) which limits the number of MAC addresses that can be learned at a given port... preventing CAM manupulation

here for more details
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Wed Feb 02, 2005 5:31 pm    Post subject: Reply with quote

UnaBomber wrote:
Cisco Switches are very difficult to flood, (I presume your are talking about mac flooding and arp poisioning) once you have deployed CIS (Cisco intergrated security) which limits the number of MAC addresses that can be learned at a given port... preventing CAM manupulation.

I see; I was not aware of this technology. Well, for a corporate environement this may well be an option.

Thanks for the info.
Back to top
View user's profile Send private message
Colonel_Panic
Just Arrived
Just Arrived


Joined: 13 May 2004
Posts: 2


Offline

PostPosted: Sat Feb 05, 2005 5:09 pm    Post subject: Reply with quote

I'm starting to get really annoyed by my superiors... not only I still have all the critical stuff on the servers in DMZ but I had a new issue: one of the two servers was getting lot of SSH root attemps so I asked why the external firewall is allowing that and they said "OK that's not how it is supposed to be, we'll plug the hole". That never happened and as the attemps increased, I asked again. "Oh, we forgot" was the reply and they STILL did not fix it. So I took the matter in my own hands and edited IP tables (on the server) myself, which is something I'm not very experienced in... Don't know if it's OK now but at least the root attemps seem to have stopped. Doesn't all this practically defy the whole purpose of DMZ? Evil or Very Mad I should be paid for all the security stuff I had to do when nobody else cares Evil or Very Mad
Am I supposed to pentest everything from home at my own time with no pay???
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Sat Feb 05, 2005 5:26 pm    Post subject: Reply with quote

For the technical part of your question, yes, it's best to limit outbound traffic from the DMZ to only traffic that is needed. Deny all, allow only a few things.

As for the politics, what you're seeing largely represents most companies. Most people just don't care about security until it's absolutely <b>forced</b> on them.

Being proactive like you have been will likely go unnoticed. All you can hope for is a manager that knows something about security but lacks the skills to do anything about it. People like this are likely to respect and value what you bring to the table.

Unfortunately, managers like this are very rare.

Good luck to you.
Back to top
View user's profile Send private message
progjm
Just Arrived
Just Arrived


Joined: 19 Aug 2003
Posts: 0


Offline

PostPosted: Sat Feb 05, 2005 7:16 pm    Post subject: Reply with quote

Well look at it this way. If something goes wrong then you are the first to get blamed, but if you keep everything locked down then they wont be there driving down your neck. So being unnoticed, or being blamed for everything?
Back to top
View user's profile Send private message
xathras
Just Arrived
Just Arrived


Joined: 12 Apr 2004
Posts: 2


Offline

PostPosted: Thu Feb 24, 2005 5:17 pm    Post subject: Reply with quote

is this post your own work or an extract from elsewhere, I have seen this before, not on this site but for the life of me cannot track it down.
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Thu Feb 24, 2005 5:29 pm    Post subject: Reply with quote

xathras wrote:
is this post your own work or an extract from elsewhere, I have seen this before, not on this site but for the life of me cannot track it down.

Yes, it's my work. You probably saw it on New Order, which is where I posted it first. You'll notice it was posted under "danielrm26" in both places. Google (http://www.google.com) can show you this information if you enter the string "danielrm26" and "DMZ" into the search field and either press "enter" or click the search button.

Regards,
Back to top
View user's profile Send private message
xathras
Just Arrived
Just Arrived


Joined: 12 Apr 2004
Posts: 2


Offline

PostPosted: Thu Feb 24, 2005 5:47 pm    Post subject: Reply with quote

danielrm26 wrote:
xathras wrote:
is this post your own work or an extract from elsewhere, I have seen this before, not on this site but for the life of me cannot track it down.

Yes, it's my work. You probably saw it on New Order, which is where I posted it first. You'll notice it was posted under "danielrm26" in both places. Google (http://www.google.com) can show you this information if you enter the string "danielrm26" and "DMZ" into the search field and either press "enter" or click the search button.

Regards,


lol, at least it shows that I paid attention to the info Wink
Back to top
View user's profile Send private message
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Thu Feb 24, 2005 5:49 pm    Post subject: Reply with quote

xathras wrote:

lol, at least it shows that I paid attention to the info Wink

True. Smile
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Goto page Previous  1, 2, 3, 4  Next
Page 3 of 4


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register