OT: DMZ explained?
David Bandel
david.bandel
Fri Jan 12 13:49:34 PST 2007
On 1/12/07, Rick Bowers <rwbowers at gmail.com> wrote:
>
> I hope this is not too off-topic. It seems there are several well-versed
> people on this list, though, that can answer this for me.
>
> I asked out (outsourced) IT team at work to setup two servers for me. One
> is a web server that needs to be accessible world-wide. The second is a data
> server that should be protected and inside the firewall. The web server
> needs to communicate with the data server only through a specific TCP/IP
> port (nn). The protocol is proprietary. So, allowing access on this port
> through the firewall is not a security risk (as much as that is possible).
>
> My request should look something like this:
>
> [web server]<-----port nn----->[Firewall]<-----port nn----->[data server]
> |
> |<-----various
> ports----->[other servers on the internal network]
>
>
> This is how I set things up in my prior company, where I had access to, and
> control over, the servers.
>
> I was told that we can not put ANY servers outside the firewall, and that
> the "external" servers must be in the DMZ.
>
> Okay, I can live with that. No problem. So now, I'm thinking things look
> like this:
>
> |-------DMZ-------|
> [Firewall]<----->[web server]<----->[data server]
> |
> |<-----various ports----->[other servers on the internal network]
>
> But, they only gave me access through the firewall to port 80 on the web
> server (AFTER access failed and I had them open THAT port). So they gave me
> this:
>
> |-------------DMZ-------------|
> [Firewall]<-----port 80----->[web server]<-----port nn-----> [data server]
> |
> |<-----various ports----->[other servers on the internal network]
>
> Now, I thought a DMZ contained a host (or hosts) that pretty much had full
> access to the outside world. They, in turn, can limit access to hosts
> connected to them. Is it normal to restrict DMZ-based hosts to specific
> ports? And that tightly (i.e. port 80 ONLY)?
>
> In the setup I was provided, why are they claiming my web server is "in the
> DMZ"? Isn't it really just another host on the internal network with access
> only to port 80?
>
> And why did they limit my internal [data server] to ONLY access on my
> specified port? Why not open it up to full access? It is inside the
> firewall...
>
> From everything I've read, a DMZ is implemented more as a 3-legged
> configuration, not an in-line configuration. For example, my home network is
> setup something like this:
>
>
> |--------------------DMZ--------------------|
> [router/firewall]<-----192.168.x.10----->[web/ftp/mail server]
> |
> |<-----192.168.x.y----->[other servers on the internal network]
>
>
> My question: Does the way they setup my configuration make sense?
>
> Thanks, all.
>
The way they set it up does not make good sense. Firewalls with only
two interfaces (old firewalls) weren't really created for a DMZ
(except the antiquated DMZ outside the firewall).
The way you should set up a firewall today is with one external
interface and two internal ones -- one trusted, through which _no_
traffic can enter directly from the outside, and one untrusted, which
accepts external incoming connections and then, if need be, that
server (or servers) connects to a database server on the trusted
network.
So you many have eth0: public IPs
DMZ eth1: private IPs, but access ported through the firewall
trusted eth2: private IPs on a different network from eth1 (not
bridged) and only connections ported inside from DMZ systems where
absolutely necessary. The DMZ must be monitored for intrusions.
As attackers become more sophisticated, we need to make things
progressively harder. The script kiddies will usually move on. The
only real defense against a determined attack by a good systems
engineer is to disconnect and box up the system, put it in a closet
and have a guard sit on it. Not much good then, though.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list