RE: Reverse Proxy on DMZ

["Andreas Haug" <ajh () this net>]

Perhaps this is the time for me to leave lurking mode.

John Kozubik wrote:
> The DMZ is not firewalled.  The DMZ exists _between_ the firewall and
> the router/modem/interface.

and he wrote

> You may be asking what the point of an area between the firewall and the
> router is - it is for machines that should not be given any kind of
> filtering whatsoever.

and

> If someone tells you they are putting their mail or www server in the
> DMZ, laugh at them for not firewalling these mission critical machines,
> [...]

Which implies (please correct me if I got this wrong) that (1) the traffic
between a DMZ and "the open" (internet, evil subcontractor, etc.) is not
guarded by filters and (2) the servers (mail, www, etc.) should reside
behind the firewall.

I do not share this point of view. My reasoning is this: I don't trust the
web server in any way. If it does it's job, serves the pages which it should
serve, I consider it good luck. I expect it to fail, to be turned against
me. Therefore I can't put it behind the firewall: If it would be located
behind the firewall, and if it would "fail" in the worst case, I'd have some
bad guy inside the network I wanted to protect.

Can I put the web sever in the open? Again, the answer is no. Although I
expect it to be broken into, I must do my best to shield it from the evil.
The least tool to provide such a shielding would be a packet filter which
(1) makes sure only those parts which are more or less "secured" are
accessible and (2) constitutes an independent entity which could alarm me if
it sees some network traffic which violates the security policy (a la "Your
web server portscanning around. Is it really supposed to do this?").

A place, which is not inside "my" network but is neither unrestricted, is
what I call a DMZ. A place to put things I can't really trust. Which is
shielded to some extent and which is supervised to some other extent.

Thinking about all this, I am curious to know if I got some of the keywords
wrong or if perhaps we need to define our keywords again.

I for one use the term "packet filter" for things acting on a packet level.
A Cisco with access lists (IOS 11.3+, reflexive, if possible) qualifies.
Most installations of Firewall-1 do qualify as a packet filter, not more, in
my personal opinion.

What John termed "firewall", I would rather call "Application Layer Filter"
(ALF, for short). Always thinking about which expertise that particular ALF
has in respect to the data streams, it relays.

The combination of packet filters, ALFs, and servers which are more or less
accessible from the "evil" side, all assembled to adhere to a strict
security policy, is what I would call a firewall.

Comments, anyone?

andreas.
--
Work: http://www.helupie.de  haug () helupie de  phone +49 6081 9162-60 fax -80
Home: http://www.this.net    me () this net      phone +49 7127 9724-54 fax -54
Note: Views expressed above might not reflect those of the people who pay me