Clarify DMZ for me

[LuckyTaxi]

We have a web server we need to allow access to our external clients/employees.
We have a DB server that it needs to talk to. Right now, what we do is we have NAT fwding on a box (also acts as a db server) that ppl from the outside can get to via an external IP. On the firewall, we forward the required ports for this external IP to the internal IP of the server.

i.e. 64.220.220.220 -> 192.168.100.20 (port 80, 1521, etc...)

So, what the heck is the difference between doing that and putting the box on the DMZ and restricting access to the box via certain ports? I only need port 80 open on the box but the box needs to talk to our DB server which is on our LAN. Should we just bypass the DMZ since the box needs to talk to an another box (the db server)?

 

[Jamsan]

The idea with a DMZ is to allow protection from the internal network if a DMZ server gets compromised. The idea would be to put the web server in the DMZ and only allow port 80 to get through. Then, only allow the required ports (in your case, the SQL port) ONLY to the required internal server. No other communication would be allowed, mitigating alot of risk on a further attack. If the web server remains on your internal LAN, once that server is compromised, the hacker has access to any other internal resource without going through any additional hoops of firewalls, IPS/IDS, etc.

Also, why on earth are you allowing the SQL port available to the outside world? (unless of course, you only listed it as an example). That's just asking for trouble.

 

[LuckyTaxi]

Ok, i wasn't thinking straight, makes sense that if someone got root access to it, they won't be able to do much since the hardware firewall will lock things down. I was thinking from an iptables perspective.

In regards to the sql port, don't ask. My boss thinks by putting the web tier on the DMZ, we should be golden. I already told him this isn't the case. No one listens, it's just like they want to use HOSTS file because no one else understands how DNS works.

 

[techmanc]

As I understand it when you use DMZ its used to give the ip address total access to all ports. The home based routers I have set up for DMZ didn't have any function to to block ports on the DMZ. The reason for the DMZ is to have all ports available in case you dont know which ports to open to get it working.

 

[Jamsan]

When you say, "my boss thinks by putting the web tier on the DMZ, we should be golden", does that mean he's going to put the web server in a DMZ, and allow full communcation between the "DMZ" and internal LAN? If that's the case, you may as well just keep doing things the way you're doing. Also, Do you have port 1521 open to the outside world? Hopefully, that's not another pea brain idea of your boss.

I don't envy your situation at all (from the HOSTS file comment). Now, if it's using a HOSTS file for servers that sit in the DMZ, that's not a bad idea (instead of having a separate DNS server in the DMZ). If it's using HOSTS file on internal servers/PCs in lieu of a DNS server, that's just retarded.

 

[LuckyTaxi]

thx guys, my assumption was right. I explained to him that ppl use DMZ so all ports would be open. I know OCS is notorious for ports and me sitting there opening 25+ ports for it was ridiculous.
In regards to his plans, he wants port 80 to the web tier in the "DMZ" and then various ports for oracle from this web box to our internal DB box. This of course will be driven by our hardware firewall. If someone were to gain access to the web box, how would they go about accessing other resources if the h/w firewall blocks all ports but the two he wants?

I dont like the idea one bit but you can't argue with stupidity. In regards to the HOSTS file, yes its for internal servers! I worked hard on setting up BIND and I was told "for now we'll use HOSTS file, I dont want to jeopardize our users if the DNS server doesn't work." NICE ... so when a server changes IP, I send out an announcment to have ppl modify their HOSTS file. That was not fun as some folks had issues with tabs/spaces.

 

[Jamsan]

DMZ opening all ports is only found on SOHO stuff. Most, if not all, business/enterprise level equipment use ACLs which by default, block everything, and only allow what you want.

This of course will be driven by our hardware firewall. If someone were to gain access to the web box, how would they go about accessing other resources if the h/w firewall blocks all ports but the two he wants?

Misconfigured firewalls, unpatched/zero day vulnerabilities, poor/no passwords on the firewall, etc.

If he refuses to move away from HOSTS file, save yourself the headache and script the changes the next time you need to update everyone's PC.

 

[LuckyTaxi]

If he refuses to move away from HOSTS file, save yourself the headache and script the changes the next time you need to update everyone's PC.

Grrr .. .we dont use active directory. i got bigger problems, our internal servers use an existing domain that someone else owns on the outside world. So it's fun when someone can't resolve because they go to someone else's website.

 

[Jamsan]

Originally posted by: LuckyTaxi

If he refuses to move away from HOSTS file, save yourself the headache and script the changes the next time you need to update everyone's PC.

Grrr .. .we dont use active directory. i got bigger problems, our internal servers use an existing domain that someone else owns on the outside world. So it's fun when someone can't resolve because they go to someone else's website.

Right a small VBS file that copies a HOSTS file that sits on a network drive somewhere to the local PC. Send out an email that says "Double click to run this script"

 

[spidey07]

His (boss) idea is best, it's how you do it. A DMZ is typically a separate subnet off of a firewall. "3-legged" - one external interface, one internal interface and a dmz one. DMZ has never meant to forward all ports - that is called static network address translation.

Also keep in mind that the SQLnet protocol negotiates what ports to use at the application layer so you can't just "open some ports", the firewall will have to dynamically open ports based on a particular session from the web box to the DB. If it's any decent firewall it should be able to do this.

 

[taltamir]

DMZ = demilitarized zone...
In routing it means that ALL ports are forwarded to that specific computer. That one computer, for all intents and purposes, works EXACTLY as if it was plugged directly into the modem, without the router in between them.

 

[Jamsan]

Home Router Defintion:

Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports forwarded otherwise. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ.

True definition:

In computer security, a demilitarized zone, named after the military usage of the term and normally abbreviated to DMZ; also known as a demarcation zone or perimeter network, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network.

 

[JackMDS]

DMZ is a concept that in the old civil days was a viable solution under certain circumstances.

In our days of constant Port Scanning, Hacking, Botting. etc. there is No place for the DMZ any more.

 

[Jamsan]

Originally posted by: JackMDS
DMZ is a concept that in the old civil days was a viable solution under certain circumstances.

In our days of constant Port Scanning, Hacking, Botting. etc. there is No place for the DMZ any more.

What do you recommend instead?

 

[taltamir]

set up port forwarding for the ONE port he stated he needs.

 

[Crusty]

Originally posted by: taltamir
set up port forwarding for the ONE port he stated he needs.

Until that machine gets compromised and has full access to your network. Any device that accepts incoming traffic from the outside needs to have a firewall between it and the private internal network, thus creating a DMZ. You still only open up on port on you firewall to the server, but you have another firewall in case the server gets compromised.

 

[drebo]

Yeah....yay for lots of disinformation in this post.

Think of it like this: Inside interface is 100, outside interface is 0, DMZ is 50. Higher number can talk to lower number, but lower number can't talk to higher number without explicitly being allowed. So, the inside can get to outside and DMZ no problem, but outside can't get to either without explicitly being let in.

This lets you segment your network, as others have said, so that if an intrusion DOES happen, they can't rape your internal servers. The idea would be to let outside get to port 80/443 in the DMZ, and let DMZ get to your database port 1433 or whatever...so that outside is never actually able to get to inside, except through the confines of your application.

 

[VirtualLarry]

Originally posted by: spidey07
His (boss) idea is best, it's how you do it. A DMZ is typically a separate subnet off of a firewall. "3-legged" - one external interface, one internal interface and a dmz one. DMZ has never meant to forward all ports - that is called static network address translation.

Thanks, that explains a lot (and why DMZ didn't work for me on my Westell 327W, and static NAT did.)

 

[Goosemaster]

note:

Think of a DMZ as a quarantine network for smaller facilities. It is simply a mechanism that allows you to apply ACLs (access control lists ... i.e. rules) for foreign and local traffic to a resource (server, killbots, etc). It is a topological or logical manifestation of a barrier that will only direct solicited traffic, but will also direct an attack and plausible damage caused by that attack on a network resource.

Some have mentioned its irrelevance, and they might be right for enterprises that have the $$ for a multilayer system that follows a hierarchy, as every layer is sectioned off from the others. For smaller environments however, you might follow a more bus or hub/spoke type of topology. In this scenario, the best course of action is to implement a quarantine area for at-risk resources: a DMZ. This quarantine area, by definition, will have all of its communications scrutinized which is easy to do with ACLs. The benefits are:

-easily audited - if you are blocking everything but essential services, you can easily tell which protocols/ports/services are a point of entry into your DMZ and onto your LAN.
-easily defended - the attack vector is smaller so you know where to focus your efforts
-easily isolated in case a breach - if a resource is compromised, the breach is mitigated by the ACLs already in place (to an extent). This not only helps in keeping services up (not having to yank the cable) but allows you to troubleshoot/observe the incident as it occurs. (i.e "oh that's how they got in"). In addition, if the breach spreads onto your LAN, you know EXACTLY where they are headed.