DMZ question...

Zoomer

Ok, so some programmers are setting up a secure network and are about to create a DMZ at our job for testing. They are using a dual firewall approach, and have two machines in the DMZ that can be accessed from the internet, one being a VPN connection, the other secure FTP. But they also want to have one of these machines to have access to the internal network so they can connect to it. Isn't the purpose of a DMZ so that those machines can't access internal ones?

I mean, I could set up a rule that would allow one of those machines access to a specific computer internally. But wouldn't this be a potential vulnerability?

Ahriakin

It doesn't necessarily mean don't allow any access from the DMZ-Inside it just gives you control of that traffic flow. The idea is that you only allow specific-necessary traffic from those DMZ hosts to your internal network (just as you should with access from the internet to the DMZ hosts). Find out what kind of access they need to the machines, then identify the protocols/ports/host IPs involved and write very specific rules that only allow them to/from the DMZ machines.

Netstudent

I've seen the double stateful firewall DMZ approach for large E-commerce web servers. Many of these webservers have backend databases that are not located in the DMZ. To alleviate the possibility of the web server becoming compromised, the edge firewall was used. The second firewall was used to control specific traffic between the webservers and backend databases so that the webserver wasn't used to launch another attack.

networker050184

Like previously sated the DMZ is an area that is "kinda trusted." You controll what goes in and what goes out. So to your question, it could cause a vulnerability, but thats what good security people are there for! They make the bablance between need of access and vulnerability. If the DMZ was completley shut off from the indside network then there wouldn't be much need for the DMZ.

JDMurray

Zoomer wrote:

But they also want to have one of these machines to have access to the internal network so they can connect to it. Isn't the purpose of a DMZ so that those machines can't access internal ones?

Exactly. One of most common security design errors with DMZs is allowing hosts in the DMZ to have direct access to hosts in the private network. If a DMZ host becomes compromised, it may become an easy gateway into the private network by allowing the intruder to bypass the external firewall. A DMZ host should only be able to access private network hosts via the network's gateway router, just as any other host on the Internet would.

Ahriakin

I see where you're going with this but sending DMZ traffic back to a boundary router is a little redundant in this case. You should be able to to everything you need with the rules and routing setup on the firewall itself without having to implement those rules on a 2nd device. I'm not saying it's wrong, just seems unnecessary to me.
I agree with using internal firewalling also, Cisco's transparent firewall feature seems tailor made for this. In the next month we'll be implementing ASA's in transparent mode between our server segments and the rest of the network, I like not having to change anything beyond configuring the firewall and placing it between the segments.

2BEDB411

Ahriakin wrote:

I see where you're going with this but sending DMZ traffic back to a boundary router is a little redundant in this case. You should be able to to everything you need with the rules and routing setup on the firewall itself without having to implement those rules on a 2nd device. I'm not saying it's wrong, just seems unnecessary to me.

I agree=
I configure router 2 (outside ) just for "quick and dirty" decisions and boundry for all the granular filtering. My 2cents.

"then identify the protocols/ports/host IPs involved and write very specific rules that only allow them to/from the DMZ machines." (Ahraikin)