[Techtalk] DMZs, etc.

Michelle Murrain tech at murrain.net
Mon Dec 10 12:50:28 EST 2001


At 11:29 AM 12/10/2001, Malcolm Tredinnick wrote:
>These sort of questions usually generate a lot of mail on this list, so
>I'll try to be brief and not embarass myself too much (both of which are
>hard):

Hey, I embarass myself *all the time* on this list, and I think I'm not too 
much the worse for wear. :-)

>Let's assume for the moment that the main risk you are guarding against
>is somebody breaking _in_ to your system. So you are not sitting on a T3
>and worried about your 1000 machines being used to DOS some other
>system.

No - I'll be sitting on a fractional -T1, with at the absolute max, 10 
machines (no more than 2 other than Linux).

>It partly comes down to risk management: how bad is it if somebody
>breaks into your internal machines and can read or alter all of the data
>there?

Well, there is my financial info - I think that's the most sensitive stuff 
there is.

>  This is the worst case if your firewall is breached in the
>situation you describe. Now back up a little bit and assume that the
>internal machines are at least a little bit protected (I don't know if
>they are or not, I'm just listing what I would check). Assume the
>firewall is breached, how likely is it that information on the internal
>machines is vulnerable? If the internal machines are basically copies of
>the firewall, then the answer would be "extremely likely", for example.

What do you mean by "copies of the firewall"? Same usernames and passwords, 
same distro? The internal machines running Linux would all be, to some 
extent or another battened down, running snort, etc. The windows machine, 
is well, a windows machine, but it has virtually no documents (that's on a 
linux fileserver), and I'm not worried about the Macintosh - it's not on 
much. I'm setting up NFS to make it easier to share code between my 
fileserver (which also does CVS) and my development box. Do I care whether 
people can read my crappy code? Well, it is open-source, after all. :-)

>After reading your question a couple of times, I'm not completely sure
>about where the single firewall you are talking about will go. One big
>disadvantage of having all your traffic to both the servers and the
>internal network go through a single box is that logging is much harder
>due to the volume. If, on the other hand, you have a firewall that just
>guards the internal network, then logging connection attempts to that
>from the outside is a much lower volume proposition. Similarly, other
>auditing procedures are easier.

Ah, I see. That makes some sense.  So one strategy would be to plug the 
external servers directly into a hub connected to the router, then have the 
firewall between the hub and another hub serving the internal network. 
Secure the external servers separately. The firewall would also do NAT/DHCP 
for the internal network.

>I can't really give more concrete ideas than that from the information
>you give, but I will say that I know of at least one major corporation
>that has an effectively similar setup to yours for their international
>network and they (and their external auditors) are happy with it.
>However, I was involved in writing a report that suggested their
>approach was not a good idea, so it is possible I am just a contrary
>person.

I'm sure that a lot of folks have this kind of set up - and I'm realizing 
it is really a risk/benefit calculation - and I just have to figure out 
what makes the most sense.

>I hope that is of some help and that others can build on this or post
>independent reponses.

Yes, it has helped.

.Michelle

---------------------------------------
Michelle Murrain, Ph.D.
tech at murrain.net
AIM:pearlbear0
http://www.murrain.net/ for pgp public key





More information about the Techtalk mailing list