lotus

previous page: 30  What is a DMZ, and why do I want one?
  
page up: Firewalls FAQ
  
next page: 32  What is a `single point of failure', and how do I avoid having one?

31 How might I increase the security and scalability of my DMZ?




Description

This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.

31 How might I increase the security and scalability of my DMZ?

A common approach for an attacker is to break into a host that's
vulnerable to attack, and exploit trust relationships between the vulnerable
host and more interesting targets.

If you are running a number of services that have different levels of
security, you might want to consider breaking your DMZ into several
``security zones''. This can be done by having a number of different
networks within the DMZ. For example, the access router could feed two
ethernets, both protected by ACLs, and therefore in the DMZ.

On one of the ethernets, you might have hosts whose purpose is to service
your organization's need for Internet connectivity. These will likely relay
mail, news, and host DNS. On the other ethernet could be your web server(s)
and other hosts that provide services for the benefit of Internet users.

In many organizations, services for Internet users tend to be less carefully
guarded and are more likely to be doing insecure things. (For example, in
the case of a web server, unauthenticated and untrusted users might be
running CGI or other executable programs. This might be reasonable for your
web server, but brings with it a certain set of risks that need to be
managed. It is likely these services are too risky for an organization to
run them on a bastion host, where a slip-up can result in the complete
failure of the security mechanisms.)

By putting hosts with similar levels of risk on networks together in the
DMZ, you can help minimize the effect of a breakin at your site. If someone
breaks into your web server by exploiting some bug in your web server,
they'll not be able to use it as a launching point to break into your
private network if the web servers are on a separate LAN from the bastion
hosts, and you don't have any trust relationships between the web server and
bastion host.

Now, keep in mind that we're running ethernet here. If someone breaks into
your web server, and your bastion host is on the same ethernet, an attacker
can install a sniffer on your web server, and watch the traffic to and from
your bastion host. This might reveal things that can be used to break into
the bastion host and gain access to the internal network.

Splitting services up not only by host, but by network, and limiting the
level of trust between hosts on those networks, you can greatly reduce the
likelihood of a breakin on one host being used to break into the other.
Succinctly stated: breaking into the web server in this case won't make it
any easier to break into the bastion host.

You can also increase the scalability of your architecture by placing hosts
on different networks. The fewer machines that there are to share the
available bandwidth, the more bandwidth that each will get.

 

Continue to:













TOP
previous page: 30  What is a DMZ, and why do I want one?
  
page up: Firewalls FAQ
  
next page: 32  What is a `single point of failure', and how do I avoid having one?