RE: DMZ Security?
- From: "Jay" <jschwarzkopf@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 18 Feb 2002 13:26:51 -0500
Message1. Use different products for external and internal firewalls (ISA, PIX,
Checkpoint, Sonicwall, etc). Vulnerability in 1 is most likely not in the other.
2. Publish front-end exchange server (without Information store) on the
internal firewall. Protects back-end exchange servers with data.
4. I've done this in production (actually with front-end E2k server). I don't
think it is nearly as secure as method above (publishing). However, if you are
using another firewall in front of the front-end server, and using TCP/IP
filtering on the server itself, it's not much different. Also depends on
starting services after the vpn tunnel is created, and adding routes.
---- Original Message -----
From: Goktug Yildirim
To: [ISAserver.org Discussion List]
Sent: Monday, February 18, 2002 3:17 AM
Subject: [isalist] RE: DMZ Security?
Hello,
I have some questions about not a specific problem,configuration or
installation but I am looking for answers of a "WHY?" list. I don't mean to
bother anyone but I cant help myself to look deeper of these questions. In my
opinion these are really important basic questions to ask yourself before
designing an internet/intranet security.
1. WHY back-to-back DMZ is more secure than the 3-NIC DMZ?
What is my advantage of buying another license and dealing with lots of
configurations instead of working with 3-NIC DMZ?
Is it only because of isolating the subnets not only with a software code
but also physically? And if it is so, don't we have to trust that code? If it
fails physical isolation saves me really?? Because I have another failed or
ready to be hacked firewall software at the other end!
I like the back to back Internet è DMZ è WEB SITES è DMZ è INTERNAL SITE.
The DMZ creates kind of a sandbox approach to protecting your site. By
allowing information to enter via packet filters, server or web publishing
rules you can control what enters the DMZ. The nice thing at this point is that
the computers in the DMZ from the external ISA box are entered in to the local
LAT. The internal ISA box uses the lat from the external machine as the
hostile (fake internet) and that is then used as the incoming web IP into the
internal ISA. Again via packet filters, server or web publishing rules you can
stop what comes into your internal net. Now the Internal ISA machine uses your
internal machines in its own LAT table. Now what you have is basically 2
networks that have completely different IP address with out much of a hassle.
INTERNET (216.0.0.0 EXT) è WEB SITES (172.0.0.0 LAT) è INTERNAL SITE (198.0.0.0
INT).
GOKTUG> I agree all of the above but I cant see
any security benefits other than physical isolation when you design a
back-to-back DMZ. Is it the only benefit? Lets imagine a back-to-back ISA DMZ.
If someone hackes the external ISA he/she can also hackes the internal ISA by
applying the same vulnerability code that exploit the external ISA. So where is
the benefit of physical isolation? (I am sure I am not right. There must be
something else that makes people use of back-to-back DMZ and that is what I am
).
2. WHY is it a DMZ security violation to have an internal domain member
server in the back-to-back DMZ scenario? If I ask this question in a very
simple way, WHAT is the difference between a hacked member server and a hacked
stand-alone server?
Front-End<->Back-End Exchange 2000 architecture requires the Front-End
Exchange server to be as a member server. Also Microsoft has an article to deal
with this configuration which even lists the desired ports to be opened. IF
this is a DMZ violation WHY MS violates its own firewall security?
I keep my EXCHANGE machine in the internal network protected
by 2 ISA servers. I keep a machine in my DMZ that forwards SMTP mail. That
keeps my exchange machine hidden to the outside world.
GOKTUG> This is also logical and it is what most people does. But if you
need to implement a Frant-END Back-END Exch topology which is quite different
then SMTP Forwarding you need a member server in the DMZ. So my point is this:
It is written that keeping a domain member server in DMZ in not that secure but
MS says you have to have a member server if you are going to implement
Front-end Exchange topology. And I ask here that why it is not safe to have a
member server in DMZ and why MS designes something that is a subject of a
security hole?
4. IF I open a VPN tunnel inside from one of the DMZ server to reach some
of the resources at the internal domain is it a DMZ security violation or is it
better and more secure than creating lots of packet filters and tons of
configuration for that DMZ server?
If I configure a packet filter only for that server and if someone
simulates a IP packet that has the same source IP as the DMZ server's IP it can
reach that specific resource. But if I configure this server as a L2TP VPN
client properly don't I make sure of incoming source exactly?
I've not had a need yet for VPN but will do so in the future and this
would interest me too.
GOKTUG> I have a need!!
Other related posts:
