Firewall Wizards mailing list archives

Re: DMZ or not ?

From: Mikael Olsson <mikael.olsson () enternet se>
Date: Wed, 13 Oct 1999 16:58:25 +0200


"Moore, James" wrote:


Could someone expand on this advice, and list/explain the additional risks
assumed by operating between the router and firewall (as opposed to
operating off a third firewall interface)?


First: Routers do not protect as well as (well written) firewalls do,
I'm mainly thinking about maintaining state and doing packet
reassembly. Furthermore, routers do not protect against firewalking
or OS fingerprinting; (well written) firewalls do this.

If a host in your "classic" DMZ is compromised, it makes 
a GREAT staging point for attacks against the internal network:
- They are able to sniff everything that's passing between the
  firewall (internal network) and the choke router.
- They are able to learn what IPs are allowed to access certain 
  services on the inside (if there is such a thing)
- It is _REALLY_EASY_ for the DMZ servers to masquerade as (spoof)
  such external hosts if they exist
- These servers could possibly modify data streams from external
  sites to internal clients (web pages are good example).
  For instance, you trust "somesite.com" to run all the "really
  cool stuff" in your IE5 browser. What if the attacker _easily_
  grabs the data stream and inserts evil script code?

"So, what's the difference between having session hijackers in your
classic DMZ and having them out on the internet?"
- It is alot easier to do it when you're sitting in the actual
path; you can see what TCP sequence numbers are used, and do not
need to fool routers using ICMP redirects, RIP spoofs or whatnot;
all you need to do is ARP spoofing, which is a lot easier to do and
a LOT harder to defend against!


Having said that, I feel I need to point out that everything
that can be done in the DMZ can also be done by people out on
the Internet. It is just so much easier to do it in the classic
DMZ setup once a host is compromised, and we don't want to hand 
out freebies do we?


I believe that the argument that the firewall would slow down
the traffic to the DMZ servers is moot, given that there are
plenty of firewalls that can filter at speeds exceeding 100 Mbps.
However, if you're using an old, slow, proxy machine, this
argument might hold true for you.


Phew!
I'm done ranting now :-)

Regards,
Mikael

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

Current thread:

DMZ or not ? fgb (Oct 06)
- RE: DMZ or not ? Thomas Crowe (Oct 08)
- Re: DMZ or not ? Frederick M Avolio (Oct 12)
- <Possible follow-ups>
- RE: DMZ or not ? Ben Nagy (Oct 12)
- RE: DMZ or not ? Moore, James (Oct 12)
  - RE: DMZ or not ? Thomas Crowe (Oct 12)
  - RE: DMZ or not ? Mike Coppage (Oct 13)
    - RE: DMZ or not ? Thomas Crowe (Oct 16)
  - Re: DMZ or not ? Mikael Olsson (Oct 16)
- Re: DMZ or not ? Cristiano Lincoln Mattos (Oct 12)
- RE: DMZ or not ? Harris Raymond D JR CIV AFAA/MSI (Oct 12)
- RE: DMZ or not ? sean . kelly (Oct 12)