General access rules for the DMZ are to allow external users to access the appropriate services on DMZ systems.. If the firewall mail server is used, it functions as the external mail se
Trang 1NOTE: The choice of a wireless ISP should be governed by the same requirements as that for a
tra-ditional ISP Any ISP should be able to provide a service-level agreement and back up that agreement
with sound management practices
Addressing
Another issue that must be resolved when working with multiple ISPs is the issue of
addressing Normally, when working with a single ISP, the ISP assigns an address
space to the organization The ISP configures routing so that traffic destined for the
organization finds its way to the organization’s systems The ISP also broadcasts the
route to those addresses to other ISPs so that traffic from all over the Internet can
reach the organization’s systems
When multiple ISPs are involved in the architecture, you must determine which
ad-dresses will be used One ISP or the other may supply the adad-dresses In this case, the
rout-ing from one ISP works as normal and the other ISP must agree to broadcast a route to
address space that belongs to the first ISP This configuration requires a strong
under-standing of the way BGP works so that traffic routes appropriately
Another option is for the organization to purchase a set of addresses itself While this
resolves some of the issues, it creates others Now both ISPs must be willing to advertise
routes to addresses that they do not own
NOTE: The addressing and routing issues should be discussed with the ISPs before contracts are
signed This issue is not easy to resolve without the full cooperation of both the ISPs
The final option is to use addresses from both ISPs In this case, some systems will be
given addresses from one ISP and other systems will be given addresses from the other
ISP This architecture does not truly resolve the availability issues and should not be used
if it can be avoided
DEMILITARIZED ZONE
DMZ stands for “demilitarized zone.” It is commonly used to refer to a portion of the
net-work that is not truly trusted The DMZ provides a place in the netnet-work to segment off
systems that are accessed by people on the Internet from those that are only accessed by
employees DMZs can also be used when dealing with business partners and other
out-side entities
Defining the DMZ
The DMZ is created by providing a semi-protected network zone The zone is normally
delineated with network access controls, such as firewalls or heavily filtered routers The
network access controls then set the policy to determine which traffic is allowed into the
Trang 2DMZ and which traffic is allowed out of the DMZ (see Figure 9-7) In general, any system that can be directly contacted by an external user should be placed in the DMZ
Systems that can be directly accessed by external systems or users are the first systems
to be attacked and potentially compromised These systems cannot be fully trusted since they could be compromised at any time Therefore, we try to restrict the access that these systems have to truly sensitive systems on the internal network
General access rules for the DMZ are to allow external users to access the appropriate services on DMZ systems DMZ systems should be severely restricted from accessing in-ternal systems If possible, the inin-ternal system should initiate the connection to the DMZ system Internal systems can access the DMZ or the Internet as policy allows but no exter-nal users may access interexter-nal systems
Systems to Place in the DMZ
So now we have a general policy for the DMZ and we have a list of services that will be of-fered over the Internet What systems should actually be placed in the DMZ? Let’s take a look at each specific service
Figure 9-8 shows the services that may be offered in a DMZ Notice that there is an inter-nal and an exterinter-nal mail server The exterinter-nal mail server is used to receive inbound mail
Figure 9-7. General DMZ policy rules
Trang 3and to also send outbound mail New mail is received by the external mail server and is
passed on to the internal mail server The internal mail server passes outbound mail to
the external server Ideally, this is all done by the internal mail server requesting the mail
from the external mail server
Some firewalls offer a mail server If the firewall mail server is used, it functions as
the external mail server In this case, the external mail server becomes redundant and
can be removed
NOTE: If mail servers are truly critical to operations, redundant mail servers should be placed both
inside and in the DMZ
Figure 9-8. Layout of systems between the DMZ and the internal network
Trang 4Publicly accessible Web servers are placed in the DMZ From Figure 9-8, you can also see
an application server in the DMZ Many Web sites offer active content based on user in-put This user input is processed and information is called up from a database The data-base contains the sensitive information and thus is not a good choice for the DMZ The Web server itself could communicate back to the database server but the Web server is ac-cessible from the outside and thus is not completely trusted In this case, it is best to use a third system to house the application that actually communicates with the database The Web server receives the user’s input and provides it to the application server for process-ing The application server calls the database to request the appropriate information and provides the information to the Web server for delivery to the user
While this may seem complicated, this architecture provides protection to the data-base server and offloads the query processing from the Web server
Externally Accessible Systems
All externally accessible systems should be placed in the DMZ Keep in mind as well that
if a system is accessible via an interactive session (such as telnet or SSH), the users will have the capability to perform attacks against other systems in the DMZ You may prefer
to create a second DMZ for such systems to protect other DMZ systems from attack
Control Systems
External DNS servers should exist in the DMZ If your organization plans to host its own DNS, the DNS server must be accessible for queries from the outside DNS will also be a critical part of your organization’s infrastructure Because of this, you may choose to have redundant DNS systems or to have your ISP act as an alternate DNS If you choose to do the latter, the ISP’s DNS will need to perform zone transfers from your DNS No other system should need to perform these transfers
If you choose to use NTP, the primary local NTP server should exist in the DMZ Inter-nal systems then will query the primary local NTP server for time updates Alternatively, the firewall can act as your primary local NTP server
Appropriate DMZ Architectures
There are many DMZ architectures As with most things in security, there are advantages and disadvantages to each of them and it becomes a matter of determining which archi-tecture is most appropriate for each organization In the next three sections, we will look
at three of the more common architectures in detail
NOTE: Each of the DMZ architectures discussed here includes firewalls, which are discussed in
de-tail in the “Firewalls” section later in this chapter
Trang 5Router and Firewall
Figure 9-9 shows a simple router and firewall architecture The router is connected to the
link from the ISP and to the organization’s external network The firewall controls access
to the internal network
The DMZ becomes the same as the external network and systems that are to be
ac-cessed from the Internet are placed here Since these systems are placed on the external
network, they are completely open to attack from the Internet To somewhat reduce the
risk of compromise, filters can be placed on the router so that the only traffic that is
al-lowed into the DMZ is traffic to services offered by DMZ systems
Another way to reduce the risk to the systems is to lock them down so that the only
services running on each system are those that are being offered on the DMZ This
means that Web servers are only running a Web server Telnet, FTP, and other services
must be shut down The systems should also be patched to the most current level and
watched carefully
In many cases, the router will belong to and be managed by the ISP If this is the case,
it may become a problem to change the filters or to get them set correctly If the router is
owned and managed by the organization, this is not as much of a problem However,
keep in mind that routers tend to use command line configuration controls and the filters
must be set appropriately and in the correct order to work properly
Figure 9-9. Router and firewall DMZ architecture
Trang 6Single Firewall
A single firewall can be used to create a DMZ When a single firewall is used, the DMZ is differentiated from the external network, as shown in Figure 9-10 The external network
is formed by the ISP router and the firewall The DMZ is established off a third interface
on the firewall The firewall alone controls access to the DMZ
Using the single-firewall architecture, all traffic is forced through the firewall The firewall should be configured to allow traffic only to the appropriate services on each DMZ system The firewall will also provide logs on what traffic is allowed and what traf-fic is denied
The firewall does become a single point of failure and a potential bottleneck for traffic If availability is a key security issue in the overall architecture, the firewall should be in a fail-over configuration Likewise, if the DMZ is expected to attract a large amount of traffic, the firewall must be able to handle it as well as internal traffic destined for the Internet Administration of this architecture is simplified over the router and firewall in that only the firewall must be configured to allow or disallow traffic The router does not re-quire filters, although some filtering may make the firewall more efficient In addition, the systems in the DMZ are somewhat protected by the firewall and thus the need to com-pletely secure them is reduced
150 Network Security: A Beginner’s Guide
Figure 9-10. Single-firewall DMZ architecture
Team-Fly®
Trang 7NOTE: I am not suggesting that insecure systems may be left in the DMZ I am only suggesting that
the firewall provides protection in the same manner as the filtering router and thus alleviates some of
the need to remove unnecessary services
Dual Firewalls
A third architecture for a DMZ is shown in Figure 9-11 This architecture uses two
fire-walls to separate the DMZ from the external and internal networks The external network
is still defined by the ISP router and the first firewall The DMZ now exists between
firewall #1 and firewall #2 Firewall #1 is configured to allow all DMZ traffic as well as all
internal traffic Firewall #2 is configured with a much more restrictive configuration so as
to only allow outbound traffic to the Internet
The dual-firewall architecture requires that firewall #1 be able to handle significant
traffic loads if the DMZ systems are expecting a lot of traffic Firewall #2 can be a less
ca-pable system since it will only handle internal traffic The firewalls can be two different
types as well This configuration may increase overall security as a single attack is
un-likely to compromise both firewalls Like the single-firewall architecture, the DMZ
sys-tems are protected from the Internet by firewall #1
Figure 9-11. Dual-firewall DMZ architecture
Trang 8Dual firewalls do increase the cost of the architecture and require additional manage-ment and configuration
FIREWALLS
Firewalls have been mentioned a fair amount in the proceeding sections of this chapter
(and have been mentioned in various other chapters as well) A firewall is a network
ac-cess control device that is designed to deny all traffic except that which is explicitly
al-lowed This definition contrasts with a router, which is a network device that is intended
to route traffic as fast as possible
Some will argue that a router can be a firewall I will agree that a router can perform some of the functions of a firewall but one key difference remains: A router is intended
to route all traffic as fast as possible, not to deny traffic Perhaps a better way to differen-tiate a router and a firewall is to say that a firewall is a security device that can allow ap-propriate traffic to flow while a router is a network device that can be configured to deny certain traffic
In addition to this, firewalls generally provide a more granular level of configuration Firewalls can be configured to allow traffic based on the service, the IP address of the source or destination, or the ID of the user requesting service Firewalls can also be con-figured to log all traffic Firewalls can perform a centralized security management func-tion In one configuration, the security administrator can define allowed traffic to all systems within an organization from the outside While this does not alleviate the need to properly patch and configure systems, it does remove some of the risk that one or more systems may be misconfigured and thus open to attack on an inappropriate service
Sensitive Internal Networks
Firewalls should not be limited to use only on Internet connections A firewall is a network access control device that can be used anywhere that access must be con-trolled This includes internal networks that should be protected from other internal systems Sensitive internal networks may include systems with extremely impor-tant information or functions or networks that conduct experiments on network equipment
A good example of a sensitive network can be found in banks Every evening banks communicate with the Federal Reserve System to transfer funds A failure here can cost the bank large sums of money The systems that control this communi-cation are very sensitive and important to the bank A firewall could be installed to restrict access to these systems from other parts of the bank