RE: Extending the DMZ

["Prodigi Child" <prodigi.child () gmail com>]

You are correct - this is absolutely a bad idea. If you have to worry about
regulatory compliance this can be a deal-breaker for an auditor, depending
on what standard you need to comply with and what data is on the server.
Speaking of which, what kind of server is it? If it is a web server or
something simple like that then you can feasibly reverse proxy it through a
DMZ server, using something like ISA server. So, check your rules &
regulations and see if you can deny this change based on those, and if you
can't then try to find another way to make it accessible. Bottom line - if
that server gets compromised and it is on the same subnet as your other
production servers, that is MANY times worse than if a DMZ server gets
compromised, because the attacker may need to now turn his/her attention on
a second attack (this time targeting the internal servers). In addition,
there are well-documented VLAN-hopping attacks that you would now need to
protect against.

In addition, you should probably work to ensure that you (information
security) is included even in the planning stages of new
servers/applications/etc. Too many times I have seen InfoSec playing
"catch-up" when it's too late to make any meaningful changes to a new
production system.

Mike



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of CORP John Porter
Sent: Wednesday, October 15, 2008 9:58 AM
To: security-basics () securityfocus com
Subject: Extending the DMZ

We have an ASA with a separate interface for the DMZ. Connected to that
interface is a layer 2 switch, and then the DMZ servers. The Windows
guys, working with Application development, have created a new server,
in a blade center. The blade center has a layer 3 switch built in, which
is connected to our core switch with a 4 port Etherchannel. Now they
want the server they built made available on the internet. I have told
them that the server must be moved to the DMZ, but they are reluctant to
do that because they already built it on an internal Blade Server. They
want me to create a VLAN on the layer 3 switch and connect 1 port from
the layer 3 switch to the layer 2 DMZ switch, so the server will be
available on the DMZ. 

This seems like a very bad idea to me:
- Someone can mis-configure the server and end up with it acting as a
router to pass traffic between the DMZ and inside network
- The layer 3 switch is going to route traffic between the new VLAN and
the inside network
- Even if I manage to lock things down so that it works, there may be
other problems/exploits that make this a bad idea.

Am I just being paranoid, or is this definitely a bad idea?