[Techtalk] DMZs, etc.

[Malcolm Tredinnick]

On Mon, Dec 10, 2001 at 10:55:55AM -0500, Michelle Murrain wrote:
> I have a question regarding DMZs:
> 
> I know that DMZs are, basically, best practice for network design. Question 
> is: what if the network is primarily made up of servers that provide 
> internet services (web, mail, dns), with only a few computers that are on 
> an internal network. In this scenario, would a single firewall, plus NAT 
> for the internal computers be enough practically (along with running snort 
> etc. on any internal boxes)?  What if NFS is running on the internal 
> computers (but not the web servers, etc.)? Does this up the ante some?
> 
> Or, could you use one of the internet servers as the first firewall?
> 
> I'm basically trying to set up a secure system, but with as few boxen as 
> possible (keep it cheap, and keep my office from getting too hot!)

These sort of questions usually generate a lot of mail on this list, so
I'll try to be brief and not embarass myself too much (both of which are
hard):

Let's assume for the moment that the main risk you are guarding against
is somebody breaking _in_ to your system. So you are not sitting on a T3
and worried about your 1000 machines being used to DOS some other
system.

It partly comes down to risk management: how bad is it if somebody
breaks into your internal machines and can read or alter all of the data
there? This is the worst case if your firewall is breached in the
situation you describe. Now back up a little bit and assume that the
internal machines are at least a little bit protected (I don't know if
they are or not, I'm just listing what I would check). Assume the
firewall is breached, how likely is it that information on the internal
machines is vulnerable? If the internal machines are basically copies of
the firewall, then the answer would be "extremely likely", for example.

With regards to NFS, remember that it is _not_ a secure protocol.
Basically anybody with access to your internal network traffic can see
what is flying between the NFS server and client with a little bit of
knowledge (possibly even just an ethereal client to process tcpdump
saved files might be sufficient). So again, how bad is it if all your
information is known?

After reading your question a couple of times, I'm not completely sure
about where the single firewall you are talking about will go. One big
disadvantage of having all your traffic to both the servers and the
internal network go through a single box is that logging is much harder
due to the volume. If, on the other hand, you have a firewall that just
guards the internal network, then logging connection attempts to that
from the outside is a much lower volume proposition. Similarly, other
auditing procedures are easier.

I can't really give more concrete ideas than that from the information
you give, but I will say that I know of at least one major corporation
that has an effectively similar setup to yours for their international
network and they (and their external auditors) are happy with it.
However, I was involved in writing a report that suggested their
approach was not a good idea, so it is possible I am just a contrary
person.

I hope that is of some help and that others can build on this or post
independent reponses.

Cheers,
Malcolm

--
The hardness of butter is directly proportional to the softness of the bread.