Firewalls: Re: DMZ

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DMZ
From:	Don Pollock - Omnes - Engineering <pollock @ houston . omnes . net>
Date:	Sat, 23 Nov 1996 19:38:12 +0700
To:	Firewalls @ GreatCircle . COM
Cc:	dsalenger @ dttus . com
In-reply-to:	<199611230900 . BAA29633 @ miles . greatcircle . com>

At 16:00 +0700 11/23/96, "Daniel Salenger" <dsalenger @
 dttus .
 com> wrote:
[...]
>     I am working with a client that has the following configuration:
>     
>     
>     {Internet}--[ISP]--[Firewall-1]-[WWW server]-[router]--[internal net]
>     
[...]
>     My train of thought is that if the WWW server is compromised 
>     (Firewall-1 does not seem to look at the 'insides' of the HTTP packet 
>     traffic to look for harmful commands and buffer overflows, etc...) 
>     then an attacker would have a launching point for the next phase of 
>     the attack which would be against the router.  Any thoughts or 
>     opinions concerning this situation?  

Sure.   Remove second interface from web server.  Add a third interface to firewall-1. Make it look like this:

     {Internet}--[ISP]--[Firewall-1]-[router]--[internal net]
                              |
                         [WWW server]

This way, when the www server is compromised, the attacker will *still* have to break through the firewall to do any more harm.  Furthermore, you can make FW-1 set off all kinds of alarms if somebody tries to telnet (or whatever) from your www server.

Also, your internal net doesn't have to go through your web server to get out to surf the Internet (unless you configure FW-1 to force them to...).

Another thing:  Put the proxies on your web server, *not* on the firewall.  It makes the firewall harder to crack, and improves its performance.

Unrelated Question:  What does your ISP think of connecting to a Solaris/NT/HPUX box instead of to a router?  Do they care?  Is your FW-1 box talking PPP to them?

I'd have thought they'd prefer to talk to a router, like this:

     {Internet}--[ISP]-[router]--[Firewall-1]--[internal net]
                                      |
                                [WWW server]

This way, the FW-1 box wouldn't need any serial interfaces.... or are you using a cablemodem?

Regards,

Don

pollock @
 houston .
 omnes .
 net     Network Systems Engineer  +1 713 513 3017
Omnes - A Schlumberger/Cable & Wireless Company   http://www.omnes.net/ 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The true mark of intelligence is to learn from the experiences of others.
-------------------------------------------------------------------------

Follow-Ups:

Re: DMZ
From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>
Re: DMZ
From: "John H. Gilley" <jgilley @ ix . netcom . com>

Indexed By Date	Previous:	pop mail server in ssn From: Albert <alkl . pt @ cemtecasia . com . sg>
Indexed By Date	Next:	Firewalls-Digest V5 #630 -Reply From: Colin Craig <craigc @ scot-homes . gov . uk>
Indexed By Thread	Previous:	Re: DMZ From: Chris Carlson <carlson @ cycon . com>
Indexed By Thread	Next:	Re: DMZ From: "John H. Gilley" <jgilley @ ix . netcom . com>