Clint Pachl wrote:
I've done a lot of network and DMZ design research over the last 3 days. I've looked at hundreds of websites and newsgroup postings and read the following titles:
The best security setup are the simplest one that you can look at your pf configuration and understand very well each lines as well as any other admin that may need to play with it. That's how you avoid mistakes.
I am not a fan of multiple DMZ by any mean, specially when traffic needs to go across these different DMZ, every time someone does that, over time, you end up having holes in it as it's getting complicated and sometime an admin will take a shortcut because of an issue that crap up one day, fix dirty and quickly and never go back to look at it and then your DMZ end up in swiss cheese before you know it.
My own preferred setup is your firewall at the edge of your network facing the Internet obviously, one DMZ and the LAN.
Then each servers that run services in the DMZ, in my case anyway there is only one service per servers and that server run OpenBSD and PF on each one. Couldn't be simpler and when it is time to upgrade to the next release, that's pretty quick as well as there isn't any excuse of, (well guys, you don't understand, I can't upgrade, I need to still run 3.5 because of this or that reason and my setup is to complicated, etc). Then you are always at the latest release, you follow the release and keep all your servers up to date and because it's one service per server, it's pretty quick and painless to upgrades, etc.
Then each server as I said run PF, but also in every setup, don't only block incoming traffic, do it right and block the outgoing one as well. Again, many will say, it's to complicated to do, so they don't do it, but I would say that if that's to complicated to understand, then you have no clue what you are doing and sure don't understand your traffic and have no security policy either in that case.
Just a simple example to illustrate this. You wrote that you have web server. I don't know, may be you also run php on it. Let said you have an intern that is in charge for the summer of the web server php upgrades. Let say that he doesn't really write good code, but it does work, so everyone is happy, but there is plenty of holes created by not checking the value pass to the various scripts.
Then you have a bad guys going and trying to compromise your network via php simple injection of codes, via one not check variable on your php code and that obviously run the scripts and what that does called a URL on an other server on the net, the inject that on your box and then you end up compromise. So, what all your setup was used for. Nothing and didn't protect you much.
But if your PF configuration on your web server only allow traffic coming from port 80 and going to others > 1023 as an example and actually block any traffic coming from you to any other device on port 80, then you have block that compromise and you can see it in your logs.
You know your server only allow incoming on 80 and reply to these ( dns as well, etc, put you use your own server as well, so you secure that already the same way), then you make your setup secure and with proper setup and very simple to maintain as well.
The best security setup is to know what is suppose to come in and also what is suppose to go out and you allow only these.
Now if you do simple setup with one service per box and on top of your mail firewall, you have PF on that box and every other DMZ servers, your are going to have very peaceful nights and plenty of sleep!
Hope this help, but if you sit back and just think about it, you will see that you don't need to read for days on to find the best setup, or what works for you.
Instead of studying all the documents on the Internet about security setup, study your network about what it does needs and what traffic is suppose to be on it and make it so. You will learn a lots doing so and even that as a side effect, if you also block outgoing traffic and you log all connections trying to go to port 25 that is not your own servers, you will find all your Windows compromise workstations as well in the process, very quickly, etc. Or all the visitor to your network with their laptops that bring with them virus, etc and don't even know it.
Checking incoming traffic logs is important yes, but other then blocking access to these bad guys, there isn't much you can do.
However, blocking outgoing traffic and also checking these logs are way more important and then you are pro active in your security and will fix issues way before they create damage on your LAN.
My setup send emails to the support team when these happen, so I tell you that is doesn't take long before a visitor plug his/here laptop on the LAN with virus before it gets detected and then get his/here head beat up for not be responsible and the issue is taken care of very quickly!
After a few months of doing so, it become so easy and a second nature and then even your co worker start to makes jokes about visitor compromise laptop and you don't even needs to say anything, they will do it for you! (;> Because they know and learn.
After a while, it is contagious and everyone get educated in the process. Hope this help you some. Best, Daniel
