Re: DMZ or not ?

From: Mikael Olsson (mikael.olssonat_private)
Date: Wed Oct 13 1999 - 07:58:25 PDT

Next message: Rick Smith: "Re: Geography of an IP Address"

Previous message: Mikael Olsson: "Re: How do folks firewall MS Exchange?"
Maybe in reply to: fgbat_private: "DMZ or not ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Moore, James" wrote:
> 
> Could someone expand on this advice, and list/explain the additional risks
> assumed by operating between the router and firewall (as opposed to
> operating off a third firewall interface)?
> 

First: Routers do not protect as well as (well written) firewalls do,
I'm mainly thinking about maintaining state and doing packet
reassembly. Furthermore, routers do not protect against firewalking
or OS fingerprinting; (well written) firewalls do this.

If a host in your "classic" DMZ is compromised, it makes 
a GREAT staging point for attacks against the internal network:
- They are able to sniff everything that's passing between the
  firewall (internal network) and the choke router.
- They are able to learn what IPs are allowed to access certain 
  services on the inside (if there is such a thing)
- It is _REALLY_EASY_ for the DMZ servers to masquerade as (spoof)
  such external hosts if they exist
- These servers could possibly modify data streams from external
  sites to internal clients (web pages are good example).
  For instance, you trust "somesite.com" to run all the "really
  cool stuff" in your IE5 browser. What if the attacker _easily_
  grabs the data stream and inserts evil script code?

"So, what's the difference between having session hijackers in your
classic DMZ and having them out on the internet?"
- It is alot easier to do it when you're sitting in the actual
path; you can see what TCP sequence numbers are used, and do not
need to fool routers using ICMP redirects, RIP spoofs or whatnot;
all you need to do is ARP spoofing, which is a lot easier to do and
a LOT harder to defend against!

Having said that, I feel I need to point out that everything
that can be done in the DMZ can also be done by people out on
the Internet. It is just so much easier to do it in the classic
DMZ setup once a host is compromised, and we don't want to hand 
out freebies do we?

I believe that the argument that the firewall would slow down
the traffic to the DMZ servers is moot, given that there are
plenty of firewalls that can filter at speeds exceeding 100 Mbps.
However, if you're using an old, slow, proxy machine, this
argument might hold true for you.

Phew!
I'm done ranting now :-)

Regards,
Mikael

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonat_private

Next message: Rick Smith: "Re: Geography of an IP Address"
Previous message: Mikael Olsson: "Re: How do folks firewall MS Exchange?"
Maybe in reply to: fgbat_private: "DMZ or not ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:02 PDT