On Wed, 16 Jun 1999, Tarkan Hocaoglu wrote:
> Hello,
>
> I'm building a firewall with :
>
> - An exterior router which connects Internet to DMZ.
Hopefully with lots of filtering rules, this is your first line of defense.
> - A bastion and an HTTP server on the DMZ.
An alternative, depending on what you allow to the HTTP server through
the screening router, and how much you trust the OS and only screening
router protection is to make a "service network" with a third interface
off of the bastion to host the HTTP server. The rules will be more
complex on the bastion, but it may (depending on the bastion) offer a
measure more protection for the HTTP server.
> - An interior router which connects DMZ to internal network.
I prefer to add screening rules here too whenever possible. That means that
a compromised internal host can only use exposed services, and not attack
the bastion.
> The bastion host runs an HTTP proxy.
I like proxies much more than I like filters for bastions. Logging
filter violations there also means catching trojans not smart enough to
use the proxy or users with a little too much creative time on their hands.
> It's obvious that all outgoing traffic must pass through the proxy, but for
> incoming paquets, should I route them to the proxy ? Or is it correct to
> send them directly to the HTTP server ?
To the HTTP server if it's on the same network as the bastion, to the
proxy if you build a service network.
> >From a security point of view, I think it's not dangerous to send incoming
> requests directly to the HTTP server, but I would like to have your
> opinions.
Most HTTP server exploits (no matter what server or OS, but the last IIS
hole is a great example- an HTTP request gives an attacker remote access
to the Web server) take place over HTTP. For an HTTP server to be
useful, you have to be able to send it HTTP, so indeed a proxy provides
little or no protection from such exploits.
> What are the drawbacks and the advantages of my solution ?
If you go straight to the HTTP server it has better response time, if you
go through the proxy a little more protection at the lower layers, and
the filter rules on the router aren't the only thing protecting in
(defense in depth). If you go straight to the HTTP server, it has to
deal with as many connections as it could possibly get, including things
like SYN flooding for Denial-of-Service (DoS) attacks. If you go through
the bastion, then that must deal with them. If you go through the bastion
and it can't handle the floods, then your internal to external services are
also DoS'd.
Without another router between the Web server and the bastion, it's
possible that a compromised Web server could be used to perform layer 2
attacks against the bastion. On shared rather than switched network
media it's also possible to use the compromised server to capture all
traffic. This is also true of IP enabled switch hardware and the routers
themselves.
I'd recommend switches without network access if you've got the budget.
Either fairly dumb switches, or smart ones with IP for the switch itself
turned off.
Sounds like you've done your research and have a good handle on the
architecture issues. Now you just have to make a few choices based on
risk and cost.
Hope this helps,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
