Security Basics mailing list archives
Re: Proxy & Firewall Implementation
From: miguel.dilaj () pharma novartis com
Date: Fri, 14 Jan 2005 09:43:31 +0100
Hi John, Other than the good answer from Florian, I'm going to make a few points: a) public services have to be in a DMZ because are the ones than can be hacked into from the outside, and you don't want the attacker to be already inside your LAN b) some private services (for example a DB) can be inside a second DMZ c) the main idea of a DMZ is that no connections can be established FROM it, only TO it. There is no reason for someone being logged in into a server establishing outgoing connections. d) whatever firewall you decide to use, this box MUST NOT have network access to it (ok, some people will say that to ease administration you can still allow something like SSH, I tend to agree, but be very careful with its configuration and updates), any service you allow is another potential way of entry for an attacker, and definitely you don't want anyone compromising your firewall and tampering with its configuration e) As you're quite new to the IT Sec field, I agree in Florian's suggesstion on the firewalls book (or any other good book on that topic). f) It can be also interesting for you to read some of the Linux HOWTO documents related to firewalls & DMZ, even if you are not going to implement a Linux firewall, at least they are free of charge at www.linuxdocs.org g) Implementing DMZ(s) requires either a flexible firewall box with several NICs, or sepparate firewalls. From the point of view of making the infrastructure solid, I tend to agree with the multiple firewalls configuration h) Last: remember that a firewall is not the final solution to all your IT Sec problems, not even close to that. It just restricts what services can be accessed and from where, but if a service (any service) is available, it can be a potential avenue of entry for an attacker
From the things you mention as needed, you can have a setup like:
Internet ¦ FW 1 (external) ¦ public services (you can put the proxy here) ¦ FW 2 (internal) ¦ LAN-----FW 3 (internal)-----private services or any similar setup. If you've more than 1 department in your company you can also make sepparate sections of the LAN using firewalls if required (for example, protecting the R&D area from employees in the Finance area and the opposite, etc.). That "blackhat" made a good suggestion. Your services won't be exposed, will be protected by the external firewall. AND your internal network will be protected from "someone" in your servers by the internal firewall. I think that his/her hat was not so black ;-) Good luck! Regards, Miguel Dilaj (Nekromancer) Vice-President of IT Security Research, OISSG John <naverxp () yahoo com sg> 13/01/2005 01:04 To: security-basics () securityfocus com cc: (bcc: Miguel Dilaj/PH/Novartis) Subject: Proxy & Firewall Implementation Hi I'm a fresh graduate in System Administrator field. Recently, with much of luck, i was recommended to a company to implement a firewall system to their network infrastructure. I hope to pick some experience from this forum as to how people in here might consider different circumstances when placing their proxy server inside a protected network (behind the firwall) or before the firewall. Would i need two firewalls? (i'm considering the Cisco FW, and CyberGuard FW). During my research, i found a documentation written by a blackhat whom suggested to allocate DMZ most of my services (httpd, mail, etc) outside the internal network and make redundancies everynight. My 2nd question, why did he suggested that? why expose my services outside the network where my information are Live and exposed to the risk of being compromised. John
Current thread:
- Proxy & Firewall Implementation John (Jan 13)
- Re: Proxy & Firewall Implementation florian leibert (Jan 13)
- RE: Proxy & Firewall Implementation David Gillett (Jan 14)
- <Possible follow-ups>
- RE: Proxy & Firewall Implementation Conlan Adams (Jan 14)
- Re: Proxy & Firewall Implementation miguel . dilaj (Jan 14)