RE: DMZ Security?
- From: "Goktug Yildirim" <yildirim@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 18 Feb 2002 10:17:10 +0200
My opinions are also in line.
Thanks
Goktug
Hello,
I have some questions about not a specific problem,configuration
or installation but I am looking for answers of a "WHY?" list. I don't
mean to bother anyone but I cant help myself to look deeper of these
questions. In my opinion these are really important basic questions to
ask yourself before designing an internet/intranet security.
1. WHY back-to-back DMZ is more secure than the 3-NIC DMZ?
What is my advantage of buying another license and dealing with
lots of configurations instead of working with 3-NIC DMZ?
Is it only because of isolating the subnets not only with a
software code but also physically? And if it is so, don't we have to
trust that code? If it fails physical isolation saves me really??
Because I have another failed or ready to be hacked firewall software at
the other end!
I like the back to back Internet ==> DMZ ==> WEB SITES ==> DMZ
==> INTERNAL SITE. The DMZ creates kind of a sandbox approach to
protecting your site. By allowing information to enter via packet
filters, server or web publishing rules you can control what enters the
DMZ. The nice thing at this point is that the computers in the DMZ from
the external ISA box are entered in to the local LAT. The internal ISA
box uses the lat from the external machine as the hostile (fake
internet) and that is then used as the incoming web IP into the internal
ISA. Again via packet filters, server or web publishing rules you can
stop what comes into your internal net. Now the Internal ISA machine
uses your internal machines in its own LAT table. Now what you have is
basically 2 networks that have completely different IP address with out
much of a hassle. INTERNET (216.0.0.0 EXT) ==> WEB SITES (172.0.0.0
LAT) ==> INTERNAL SITE (198.0.0.0 INT).
GOKTUG> I agree all of the above but I
cant see any security benefits other than physical isolation when you
design a back-to-back DMZ. Is it the only benefit? Lets imagine a
back-to-back ISA DMZ. If someone hackes the external ISA he/she can also
hackes the internal ISA by applying the same vulnerability code that
exploit the external ISA. So where is the benefit of physical isolation?
(I am sure I am not right. There must be something else that makes
people use of back-to-back DMZ and that is what I am ).
2. WHY is it a DMZ security violation to have an internal domain
member server in the back-to-back DMZ scenario? If I ask this question
in a very simple way, WHAT is the difference between a hacked member
server and a hacked stand-alone server?
Front-End<->Back-End Exchange 2000 architecture requires the
Front-End Exchange server to be as a member server. Also Microsoft has
an article to deal with this configuration which even lists the desired
ports to be opened. IF this is a DMZ violation WHY MS violates its own
firewall security?
I keep my EXCHANGE machine in the internal network
protected by 2 ISA servers. I keep a machine in my DMZ that forwards
SMTP mail. That keeps my exchange machine hidden to the outside world.
GOKTUG> This is also logical and it is what most people does.
But if you need to implement a Frant-END Back-END Exch topology which is
quite different then SMTP Forwarding you need a member server in the
DMZ. So my point is this: It is written that keeping a domain member
server in DMZ in not that secure but MS says you have to have a member
server if you are going to implement Front-end Exchange topology. And I
ask here that why it is not safe to have a member server in DMZ and why
MS designes something that is a subject of a security hole?
3. WHY is it more secure to chain the ISA firewalls?
What is security failure or hole if I don't chain the internal
and external firewalls in a back-to-back DMZ scenario?
I'm not sure if it is more secure. By chaining the firewalls if
one goes offline for what ever reason you still have some level of
protection.
GOKTUG> I have read the document of TOM. And briefly he says it
is more secure to chain the firewalls. WHY? What is the benefit?
4. IF I open a VPN tunnel inside from one of the DMZ server to
reach some of the resources at the internal domain is it a DMZ security
violation or is it better and more secure than creating lots of packet
filters and tons of configuration for that DMZ server?
If I configure a packet filter only for that server and if
someone simulates a IP packet that has the same source IP as the DMZ
server's IP it can reach that specific resource. But if I configure this
server as a L2TP VPN client properly don't I make sure of incoming
source exactly?
I've not had a need yet for VPN but will do so in the future and
this would interest me too.
GOKTUG> I have a need!!
5. WHY publishing a server is more secure than putting it in the
DMZ? (comparison of public IP DMZ and private IP DMZ).
What is the difference between ISA server publishing and DMZ
server publishing? When you publish a server it means that someone can
open a session to that server and can exploit whatever he/she wants if
it is possible. Isn't the same for DMZ server publishing? What are the
benefits or losses of publishing a server against DMZ server publishing?
I also can block via filters what I don't want coming into the
site via ISA.
It is basically behind 2 firewalls. I don't keep any SQL
machines in the DMZ I just keep my web servers. And I limit the types
and numbers of services running on the macines in the dmz. They don't
belong to any domain so you can't actually see what computers are
located in the DMZ.
GOKTUG> OK. That is true. Lets get it in this way.
When you design a back-to-back DMZ with ISA you have two choices. First
one is using private address in the DMZ and second one is public
address in the DMZ. It is said that private address in the DMZ is more
secure. And I wonder WHY? What is the difference between publishing
server and putting it in the DMZ? WHY publishing a server is more secure
than placing it in the DMZ?
I know I have to read books and I can find these topics.
However, I just need some push or a start to go further. Answers or
comments with one or two sentences would make this great!
Thanks and regards for anyone who even reads these,
GOKTUG YILDIRIM
Other related posts:
