Re: Basic DMZ Setup Questions...

Thu, 04 Apr 2002 14:48:21 -0800 

I would agree with the principle stated by both Laura and KK.  It is 
actually a complex issue with DMZ placement, but what works for one 
company doesn't necessarily work for another, especially considering most 
organizations cannot afford two firewall appliances (or even if they 
could might just believe one offers adequate assurance).

John S., given the original question, I would highly recommend at least 
perusing the  O'Reilly  "Building Internet Firewalls" book[1] for your 
own edification.  This book will give you a great overview of the 
different firewall architectures, their principles, and the comparitive 
advantages/disadvantages.  

In regards to your original post, I have three suggestions.

> >I have a few questions regarding setting up a DMZ.  Currently our
> >public servers are behind our LAN port on our Firewall, with only the
> >ports we need opened.  I would like to move these server to the DMZ
> >port of our SonicWall DMZ firewall.  My question is...once I put
> >something in the DMZ, do I need to give it a different IP address,
> >meaning do I need to change it from an internal LAN IP to a external
> >WAN IP?  Currently, my NAT router handle's that.  And if I do give it a
> >WAN IP, does that mean I take it out of my NAT table?  I plan on using
> >our HP Switch to create 2 VLAN's, one for our LAN and one for the DMZ
> >Zone (currently our switch is not VLANed and it's used for our internal
> >LAN).  Would this work, is this a good idea?  Can you give me any basic
> >setup ideas/suggestions?
> >
> >Thanks!
> >
> >John


Whether you change your bastion host (public server) to RFC1918 addressing 
or not and whether you remove it from the NAT table depends on one 
question I would ask you.  You haven't explained any details about the NAT 
router.  My question to you is does it support packet filtering?

Basically I can see two different approaches:

1.  Screened subnet architecture
If your NAT router does support packet filtering, you could leave it where 
it is, and add a ACL/Packet filter that only allows access to the 
bastion 
host for ports that external users need to come in on.  In this case, you 
could leave the bastion host with an RFC1918 (internal LAN) address, still 
allowing the router to do NAT.  Then you could have the sonic firewall 
protect the inside network.  This would have the effect of leveraging your 
existing hardware to have the sonicwall dedicated to protecting the 
internal network, and your NAT router protecting the bastion hosts by 
allowing ONLY packets in on services absolutely necessary.

2.  Merged Routers and Bastion Host Using General Purpose Hardware (page 
704, O'Reilly)
I believe this would be the collapsed DMZ others are referrring to.
With this configuration, remove the NAT table entry for the bastion host, 
and either:
A. re-IP to a public address allocated by your provider, having the 
SonicWall do all packet filtering.
OR
B. Retain the RFC1918 address, and have the SonicWall do NAT (instead of 
the NAT router), implementing all of the packet filtering that needs to be done.

Keep in mind that I am not familiar in any way with the Sonicwall product, 
and make the assumption that it supports NAT.

With this configuration, the SonicWall is the workhorse here, protecting 
both internal and DMZ networks.  The SonicWall has three interfaces: one 
connected to the NAT router, one to the DMZ, and one to the internal 
network.  If you did go with this configuration, I would also suggest 
bypassing the switch on the DMZ network by connecting the SonicWall DMZ 
port straight to the Bastion host via a crossover cable.  With this 
approach, you eliminate any attacks on spoofing MAC addresses, 
manipulating ARP tables, VLAN misconfigurations, etc., on the switch.

3. Last, don't ever feel safe just because you have the firewall and think 
you have the "right" configuration.  Host security (on the bastion host, 
in your case) is just as important as a properly designed firewall 
architecture, if not more so.


Hope this helps, and good luck.
-Jason

[1]  Building Internet Firewalls, Second Edition.  Zwicky, Elizabeth, et 
     al.  O'Reilly and Associates, 2000: Sebastopol, CA.



On Thu, 4 Apr 2002, kk downing wrote:

> With the rise of firewall applicances and and
> multi-nic cards many organizations run a collaped 
> DMZ. Obviously the two firewall architecture is a good
> idea but how many organizations actually pick two
> different firewall vendors and apply this approach?
> 
> 
> --- "Laura A. Robinson" <[EMAIL PROTECTED]>
> wrote:
> > I wouldn't oversimplify like that. Collapsed
> > structure versus two firewalls
> > is a very debatable topic. Why? Because if I hack
> > your external firewall
> > (the firewall itself, not a machine behind it) and
> > your *separate* internal
> > firewall is a *different* firewall, all I've done so
> > far is compromise your
> > DMZ. If you have a single firewall and there's an
> > exploit out there for it
> > that you've not yet patched against or a hack you
> > don't know about, when I
> > compromise your firewall I've now potentially
> > compromised your entire
> > network.
> > 
> > With that said, as I steadfastly maintain, a
> > firewall is merely a speed bump
> > against a skilled, dedicated intruder.
> > 
> > Laura
> > ----- Original Message -----
> > From: "Clifford Thurber"
> > <[EMAIL PROTECTED]>
> > To: "Laura A. Robinson" <[EMAIL PROTECTED]>;
> > "Bill Royds"
> > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> > <[EMAIL PROTECTED]>
> > Sent: Thursday, April 04, 2002 4:29 PM
> > Subject: Re: Basic DMZ Setup Questions...
> > 
> > 
> > > This was traditionaly the architecture before the
> > DMZ became collapsed.
> > >
> > > At 12:13 PM 4/4/2002 -0500, Laura A. Robinson
> > wrote:
> > > >A "true" DMZ may have a firewall between the
> > Internet and the DMZ, as
> > well
> > > >as between the DMZ and the intranet.
> > > >
> > > >Laura
> > > >----- Original Message -----
> > > >From: "Bill Royds" <[EMAIL PROTECTED]>
> > > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > > >Sent: Wednesday, April 03, 2002 8:11 PM
> > > >Subject: RE: Basic DMZ Setup Questions...
> > > >
> > > >
> > > >A true MZ is the net between the firewall and the
> > Internet, not behind a
> > > >firewall. If this is the case, then you have the
> > choice of a public
> > address
> > > >or a simple 1-1 NAT (IP redirect) set up on your
> > NAT enabled router. If
> > your
> > > >router can handle Port Address Translation, where
> >  it sends the traffic
> > from
> > > >a single Internet address to separate servers
> > depending on destination
> > port,
> > > >you can save Internet IP space by using private
> > addresses. But your
> > servers
> > > >are not being protected by your firewall.
> > > >
> > > >If it is the more common server segment on a
> > third NIC of the firewall,
> > then
> > > >it can use private address space, either IP
> > redirect, PAT or full dynamic
> > > >NAT. But it still would be a good idea to set up
> > this server segment with
> > a
> > > >separate subnet address to ease routing and rule
> > making on the firewall.
> > > >
> > > >-----Original Message-----
> > > >From: [EMAIL PROTECTED]
> > > >[mailto:[EMAIL PROTECTED]]On Behalf
> > Of John S. Strock
> > > >Sent: Wed April 03 2002 18:26
> > > >To: [EMAIL PROTECTED]
> > > >Subject: Basic DMZ Setup Questions...
> > > >
> > > >
> > > >I have a few questions regarding setting up a
> > DMZ.  Currently our
> > > >public servers are behind our LAN port on our
> > Firewall, with only the
> > > >ports we need opened.  I would like to move these
> > server to the DMZ
> > > >port of our SonicWall DMZ firewall.  My question
> > is...once I put
> > > >something in the DMZ, do I need to give it a
> > different IP address,
> > > >meaning do I need to change it from an internal
> > LAN IP to a external
> > > >WAN IP?  Currently, my NAT router handle's that. 
> > And if I do give it a
> > > >WAN IP, does that mean I take it out of my NAT
> > table?  I plan on using
> > > >our HP Switch to create 2 VLAN's, one for our LAN
> > and one for the DMZ
> > > >Zone (currently our switch is not VLANed and it's
> > used for our internal
> > > >LAN).  Would this work, is this a good idea?  Can
> > you give me any basic
> > > >setup ideas/suggestions?
> > > >
> > > >Thanks!
> > > >
> > > >John
> > > >_______________________________________________
> > > >Firewalls mailing list
> > > >[EMAIL PROTECTED]
> > > >http://lists.gnac.net/mailman/listinfo/firewalls
> > > >
> > > >_______________________________________________
> > > >Firewalls mailing list
> > > >[EMAIL PROTECTED]
> > > >http://lists.gnac.net/mailman/listinfo/firewalls
> > > >
> > > >_______________________________________________
> > > >Firewalls mailing list
> > > >[EMAIL PROTECTED]
> > > >http://lists.gnac.net/mailman/listinfo/firewalls
> > >
> > 
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Tax Center - online filing with TurboTax
> http://taxes.yahoo.com/
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
> 

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to