Firewalls: Re: DMZ

Firewalls
(November 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DMZ
From:	"John H. Gilley" <jgilley @ ix . netcom . com>
Organization:	ATisket-ATasket
Date:	Sat, 23 Nov 1996 09:39:41 -0600
To:	Firewalls @ GreatCircle . COM
Cc:	dsalenger @ dttus . com
References:	<v03007800aebc9c5e4bdd @ [163 . 184 . 7 . 244]>
Reply-to:	jgilley @ ix . netcom . com

Don Pollock - Omnes - Engineering wrote:
> 
> At 16:00 +0700 11/23/96, "Daniel Salenger" <dsalenger @
 dttus .
 com> wrote:
> [...]
> >     I am working with a client that has the following configuration:
> >
> >
> >     {Internet}--[ISP]--[Firewall-1]-[WWW server]-[router]--[internal net]
> >
> [...]
> >     My train of thought is that if the WWW server is compromised
> >     (Firewall-1 does not seem to look at the 'insides' of the HTTP packet
> >     traffic to look for harmful commands and buffer overflows, etc...)
> >     then an attacker would have a launching point for the next phase of
> >     the attack which would be against the router.  Any thoughts or
> >     opinions concerning this situation?
> 
> Sure.   Remove second interface from web server.  Add a third interface to firewall-1. Make it look like this:
> 
>      {Internet}--[ISP]--[Firewall-1]-[router]--[internal net]
>                               |
>                          [WWW server]
> 
> This way, when the www server is compromised, the attacker will *still* have to break through the firewall to do any more harm.  Furthermore, you can make FW-1 set off all kinds of alarms if somebody tries to telnet (or whatever) from your www server.
> 
> Also, your internal net doesn't have to go through your web server to get out to surf the Internet (unless you configure FW-1 to force them to...).
> 
> Another thing:  Put the proxies on your web server, *not* on the firewall.  It makes the firewall harder to crack, and improves its performance.
> 
> Unrelated Question:  What does your ISP think of connecting to a Solaris/NT/HPUX box instead of to a router?  Do they care?  Is your FW-1 box talking PPP to them?
> 
> I'd have thought they'd prefer to talk to a router, like this:
> 
>      {Internet}--[ISP]-[router]--[Firewall-1]--[internal net]
>                                       |
>                                 [WWW server]
> 
> This way, the FW-1 box wouldn't need any serial interfaces.... or are you using a cablemodem?
> 



An optimal solution, for performance reasons would be for something
like this:

[Internet]---[ISP]-----[router] [WWW Server][Firewall-1]------[internal
network] 
                              \    |         /
                               \   |        /
                                \  |       /
                                 \ |      /
                                 [Concentrator]

Put the WWW-Server on a concetrator with the first router && FW-1.  
Use filtering to create your initial traffic flow.  I would also 
put a filtering package on the WWW-Server, something like ipfiter(by
Daren Reed).  This way, you can use acl's to direct traffic from
the router.

Cheers,

jgilley

References:

Re: DMZ
From: Don Pollock - Omnes - Engineering <pollock @ houston . omnes . net>

Indexed By Date	Previous:	Firewalls-Digest V5 #629 -Reply From: "D.F. MacFADYEN" <FMF @ email . smss . com>
Indexed By Date	Next:	Re: DMZ design From: "John H. Gilley" <jgilley @ ix . netcom . com>
Indexed By Thread	Previous:	Re: DMZ From: Don Pollock - Omnes - Engineering <pollock @ houston . omnes . net>
Indexed By Thread	Next:	Re: DMZ From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>