[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Charles Steinkuehler]

   The trainer told me, that the Drop-In configuration (ProxyARP DMZ)
is
  less
   secure than the routed DMZ. I didn't say anything and thought
  Uh, really?
   Why?.
 
  Good for you!

 Good for me that I didn't say anything or good for me that I'm going to
make
 the WCP? :)

Good for you that you question rather than simply believe...

 Unfortunately, you can't define in which chain rules go. (Watchguard
 Fireboxes run on a highly modified kernel 2.0.38)
 I don't know in which chain the organize their DMZ stuff.

 She told me, that she'll explain the whole DMZ stuff more exactly
tomorrow.
 Let's see if she knows what she's talking about... ;)

Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform.
As there are things you can do with 2.4 kernels and iptables that are
difficult or impossible with ipchains, there's a *LOT* you can't do with a
2.0 kernel's packet filtering.  I'm not familiar enough with the 2.0 stuff
to know for sure, but that could very well be why a proxy-arp based DMZ
isn't as secure.  If so, just note that it's an artifical limitation of the
firewall, and not a basic problem with the topology.

Charles Steinkuehler
[EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Charles Steinkuehler]

 I'm currently in a Watchguard training. I'm going to make the WCP
 Certificate.

 The trainer told me, that the Drop-In configuration (ProxyARP DMZ) is
less
 secure than the routed DMZ. I didn't say anything and thought Uh, really?
 Why?.

Good for you!

 Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ?
 Are there even any security related differents?

 She told me, that staticNAT with a private DMZ is the better solution if
you
 want to save public IP's. I don't think so.
 I think I run into problems with special applications/protocols if using
 staticNAT (passiveFTP, PPTP?)

 Discussion is opened

All three of the architecture you mention (static-NAT, routed, and
proxy-arp) have the same basic packet flow:

internet
|
Firewall - DMZ net

Or possibly:

internet
|
Firewall - DMZ net
|
Internal net

The only difference between the flavors of DMZ you mention is what IP
addresses and subnet lables get attached to each interface...the security
(or lack thereof) depends entirely on what the firewall is doing with the
packet data.

If you've got a flexible mechanism for building firewall rules, it shouldn't
matter which architecture you pick...you should be able to implement your
desired firewall functionality with any of the DMZ flavors.

NOTE:  There are specific things you need to watch for depending on the DMZ
architecture.  For instance, the Dachstein firewall rules implement routed,
static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are
blindly accepted in the input chain (to be sorted later).  If you're running
static-NAT or proxy-arp, the firewall probably has an IP that overlaps with
the DMZ network, so you've just potentially opened your firewall's external
IP to the world with no filtering!  For the curious, that's why the dmz-in
and dmz-spoof ipchains are created in this situation...ip's destined for the
local box are routed back through the input rule chain, while packets truly
destined for the DMZ are accepted in the input chain, then filtered in the
forward chain.

Charles Steinkuehler
[EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user