[Techtalk] DMZs, etc.

Malcolm Tredinnick malcolm at commsecure.com.au
Tue Dec 11 02:25:20 EST 2001 

On Mon, Dec 10, 2001 at 11:50:28AM -0500, Michelle Murrain wrote:
> At 11:29 AM 12/10/2001, Malcolm Tredinnick wrote:
[...]
> >It partly comes down to risk management: how bad is it if somebody
> >breaks into your internal machines and can read or alter all of the data
> >there?
> 
> Well, there is my financial info - I think that's the most sensitive stuff 
> there is.

If losing it is just embarassing and you have some kind of regular
backup regime so that destroying it is only annoying, then you know what
the downsides are.

> >  This is the worst case if your firewall is breached in the
> >situation you describe. Now back up a little bit and assume that the
> >internal machines are at least a little bit protected (I don't know
> >if they are or not, I'm just listing what I would check). Assume the
> >firewall is breached, how likely is it that information on the
> >internal machines is vulnerable? If the internal machines are
> >basically copies of the firewall, then the answer would be "extremely
> >likely", for example.
> 
> What do you mean by "copies of the firewall"? Same usernames and
> passwords, same distro?

Not quite that much of a "copy". I was more thinking along the lines of
the case where you have basically the same software installed (so the
"same distro" scenario, for example). The problem you face then is if a
vulnerability is discovered on the firewall box, it is going to provide
an open door to the internal box as well. In a practical case this would
be mitigated by having nothing that isn't truly required on the firewall
box, so it would contain the bare minimum from a security point of view.
Then you hope that there isn't a huge exploitable hole in those pieces
of software, etc (which is just normal firewall stuff, whatever it is
protecting).

> The internal machines running Linux would all be, to some 
> extent or another battened down, running snort, etc. The windows machine, 
> is well, a windows machine, but it has virtually no documents (that's on a 
> linux fileserver), and I'm not worried about the Macintosh - it's not on 
> much. I'm setting up NFS to make it easier to share code between my 
> fileserver (which also does CVS) and my development box. Do I care whether 
> people can read my crappy code? Well, it is open-source, after all. :-)

All sounds reasonable. But what if somebody breaks into the windows box?
Can they then browse the aforementioned financial records with impunity?
Of course, we can play this game forever (what if they break through
that defense and that one and that one...?), so it's probably a better
use of effort to stop them getting that far in the first place. I really
don't know enough about Windows security to even begin to evaluate their
place in a network, so I tend to treat them as "not to be trusted except
when unplugged".

> >After reading your question a couple of times, I'm not completely sure
> >about where the single firewall you are talking about will go. One big
> >disadvantage of having all your traffic to both the servers and the
> >internal network go through a single box is that logging is much harder
> >due to the volume. If, on the other hand, you have a firewall that just
> >guards the internal network, then logging connection attempts to that
> >from the outside is a much lower volume proposition. Similarly, other
> >auditing procedures are easier.
> 
> Ah, I see. That makes some sense.  So one strategy would be to plug the 
> external servers directly into a hub connected to the router, then have the 
> firewall between the hub and another hub serving the internal network. 
> Secure the external servers separately. The firewall would also do NAT/DHCP 
> for the internal network.

With two network interfaces on the firewall box, somebody breaking into
the server boxes can't snoop your internal traffic so easily, either.
However, putting the DHCP server on the firewall box makes me nervous.
Why not keep that on the internal network (the file server, say) so that
it's harder to get information about.  Certainly you can do the NAT
stuff from the firewall box.

As far as plugging the servers directly into the router, you just have
to then remember that they are pulling double-duty as firewalls (for
themselves) as well, so they need to be kept up to date and have valid
iptables setups, etc. Not impossible by any means.

Cheers,
Malcolm

-- 
Quantum mechanics: the dreams stuff is made of.

More information about the Techtalk mailing list