I've inherited a small corporate WinNT4.0 lan that I am reconfiguring to
remove some of the obvious security flaws in its structure. I would like to
elicit any comments or suggestions regarding reconfiguring the
architecuture. On paper, the lan has been setup as a classical firewalled
lan with 3 zones: external, dmz, and internal.
|T1
|
Router
|
Firewall________S_____vlan1[external]
| |_________w
|_____________i_____vlan2[dmz=mail,dns,http]
t |
c_____vlan3[internal]
h
The funny thing about the setup is that the servers residing in the dmz are
all dual-homed machines with 1 adapter set to use a dmz segment address
[192.168.1.0/24] and the other adapter uses an internal segment address
[192.168.2.0/24]. The dmz addresses are NAT'd at the firewall to public
address in our class C assignment. This arrangement strikes me as crazy;
even though routing between interfaces on the dmz machines is disabled, it
seems that it would be trivial to compromise the internal lan if an intruder
were to breach the dmz. Furthermore, some essential services (like
file/print, domain controllers) reside on the dmz/vlan3 boxes, which also
strikes me as major league stupidity for essentially the same reason.
Essentially to me it seems that the actual architecuture functions only as a
2 region system (hostile internet vs. not very secure internal lan) because
of the fuzziness resulting from misconfiguration of the dmz. Basically,
since I'm not an expert on this stuff (yet), I would like some confirmation
of my feeling that this setup is basically very insecure so that I can
garner up the requisite courage to fight with the consultants who set it up
this way in the first place and the management who hired them. I have a
pretty good idea of how to correct things, such as making the dual homed dmz
machines single homed and moving all of the 'private' services like the
domain controllers, file storage, etc. to machines strictly located within
the internal vlan. Happy to provide additional details, clarifications;
Comments welcome!
Thanks,
Fred
