[ Sorry about joining in late ]

2001-10-04-17:07:20 Rob Collins:
> The DMZ network (figure 1.6), maps well to the IDS Zone Theory
> Diagram by Scott Sanchez, and makes perfectly good sense to
> me. But the practice suggests, as more secure, a dual firewall
> with DMZ network architecture (figure 1.7). It does not provide
> details as to why this architecture is considered to be of
> increased effectiveness.

As a general rule, when defining an internet point of presence,
you want to have a tightly-administered handful of very hardened
servers with very very efficient connectivity to and from the
internet, allowing incoming connections from the internet for select
protocols. These are your public servers. Ideally you offer only a
very very short list of protocols, each from completely separate
hosts or groups of hosts: smtp, http[s], DNS, possibly some VPN
termination.

In addition, you want to have very limited and exceedingly strictly
controlled outbound-only connectivity from the inside net to the
internet.

There are two very basic firewall technologies in common use
(although I'll admit the once-sharp line between them is beginning
to blur a little); they are packet filters and proxies. Packet
filters, by and large, are simpler and faster. Proxies generally
protect against more subtle attacks (particularly since they
completely reconstruct the IP headers from scratch, rather than
passing them on through), and provide more sophisticated analysis
(since the analysis is being performed after fragment reassembly and
reconstruction of TCP data streams).

A very good fit is to have packet filtering between the internet
and your DMZ; it is configured to prevent address forgery (ingress
and egress filtering), and to block all access to any ports that
don't actually need to receive packets. You can also (as always,
when packet filtering) make sure you've got rules to toss short
fragments, nonsense flag combinations, etc. If you're using
stateless packet filtering (e.g. typical router ACLs) then you can
still do good work blocking on TCP SYN incoming, and blocking most
UDP. I tend to favour router w/ ACLs as the external firewall.

Another very good fit, at least in highest-security settings, is to
arrange to allow _only_ proxied traffic between the inside network
and the internet. This also simplifies the engineering optimization
of allowing you to use non-public (RFC-1918) address space for your
inside net; proxies are among other things a very complete NATting
solution.

An additional security benefit you get for free with this picture is
the use of two radically different firewall technologies in cascade.
An attacker wanting to break in has to do so through only the
connectivity flows you've left open in your external packet filter,
and has then to mount an attack on a hardened bastion host and break
through it to get at your inside net.

-Bennett

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7xF/BHZWg9mCTffwRAqC6AKC7/zPXYCODgUeb7L3CVyZKvy5HaACfX3SJ
Pe4nbDpdeI5aigyqgFWnPw8=
=iQeL
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]