RE: DMZ or not ?

[Ben Nagy <bnagy () cpms com au>]

Hm.

Tom, why do you presume that the protection offered by a router with decent
ACLs is going to be any worse than a firewall? In some cases it's true, but
for simple-simon upper layer protocols like HTTP then unless you're using an
amazing application proxy (and arguably not even then) you often gain very
little and lose speed. The basic argument is that once you're allowing
people access to the WWW service then you've lost most of the battle - they
can get at all your CGI scripts, ASPs or what-the-hell-ever you have sitting
around waiting for a remote exploit.

The "Classic" DMZ offers the same level of protection for the internal
network, so that's not an issue...

Finally, _static_ NAT may be security by obscurity, but dynamic NAT does
actually improve security by only making connections to dynamically mapped
hosts available for a short time, and only after a connection has been
initiated. This is not an issues for incoming WWW and DNS in this case
though.

Fabio, I would certainly recommend getting those WWW servers out of the
internal network and into some kind of DMZ. As Tom points out, this helps
prevent the WWW server being used as a staging point to mount an attack on
the internal network.

Personally, if you have a router, I think you'll get (slightly) better WWW
performance and not lose much security by putting the WWW server directly
behind the router, as long as you can mess with its access control lists. If
it's not your router, I'd hang another NIC off the firewall.

Make sure you've taken all the sensible precautions relevent to your
particular DNS server - you don't want people to be able to mess with your
DNS.

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520 

> -----Original Message-----
> From: Thomas Crowe [mailto:thomas.crowe () bellsouth net]
> Sent: Friday, 8 October 1999 9:59 PM
> To: fgb () domain com br; firewall-wizards () nfr net
> Subject: RE: DMZ or not ?
>
>
> That depends a lot on what definition of a DMZ your using!  
> If you mean the
> classical definition of a DMZ i.e. in between the router and 
> the firewall
> *unprotected* except by router acl's, then my advice would 
> be, don't do it,
> not under any circumstances! (ok maybe one or two 
> circumstances).  If your
> referring to the somewhat more contemporary definition of a 
> DMZ i.e. another
> interface off your firewall, where as all traffic must still 
> traverse the
> firewall, then I would say go for it, that way *when* your 
> public machines
> get hacked your internal network is still protected, this is 
> good; very good
> :-).  NAT is a good thing but it is security through 
> obscurity which isn't
> very secure in and of itself.  Just my $0.02
>
> Thomas Crowe
> Production Network Systems Administrator
> BellSouth Online
> 678-441-7454
>
> > -----Original Message-----
> > From: owner-firewall-wizards () lists nfr net
> > [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of
> > fgb () domain com br
> > Sent: Wednesday, October 06, 1999 9:57 AM
> > To: firewall-wizards () nfr net
> > Subject: DMZ or not ?
> >
> >
> > Hello wizards,
> >
> > Divergences are occurring here im my officce about the use of a
> > DMZ, and I hope the wizards will give me some explanations and/or
> > secure informations about the better
> > implementation.
> >
> > Currently, we're using Linux as a Firewall Box, with a port
> > forwarding to our mail server, that is behind the firewall.
> >
> > We are in way now, to install a public web server and a DNS
> > server. What are de advantages and disadvantages of placing this
> > servers behind the firewall and perform
> > NAT or Port forwarding, instead of  using a DMZ ?
> >
> > Which of the options shoud I implement here in my officce, to
> > have a secure site ?
> >
> > Thanks and regards,
> >
> > Fábio Baptista
> > fgb () domain com br