Comments on: Blessay: Designing Enterprise DMZ and Multilayer Firewall Clusters

By: srs

srs — Fri, 16 Dec 2011 19:17:00 +0000

You’re missing a big point related to having two firewalls and where to place the DMZ. You place the DMZ off the internet-facing firewall because only that firewall accepts inbound traffic for web servers, etc. That is, it’s insane to run web servers internally. If someone gets in they can compromise your entire internal LAN. The external DMZ machines then do not forward any traffic in except maybe a few very specific things that are needed (for example an external mail server forwarding some traffic to an internal server). You would not forward any standard inbound internet traffic directly in. And with things like email there’s a strong argument to be made for not forwarding but having the inside server pull the data it needs (allowing an outbound connection from LAN to DMZ but not vice versa).

Mr. T says: I pity the fool who runs a web server behind the same firewall protecting his LAN.

By: Mohamed abed

Mohamed abed — Fri, 14 Oct 2011 15:57:00 +0000

Mohamed Abed
it’s no right to connected the DMZ on internal firewall because of
1-the benefit of DMZ is to secure the internal network ( don’t but all eggs at same basket)
2- so the concept is secure the internal form the server published at internet(DMZ server)
3-so if we add two level of firewall between internal and DMZ it will be better

By: martin

martin — Sat, 28 Aug 2010 13:56:34 +0000

Excellent article thanks a lot for your great work on your blog.

I do agree with your point of view and Internal Firewall DMZ is the best. Still, a question came to my mind:

In your example, there is only one access to/from external zone. How would you manage the multiple ISPs, and the fact you have links dedicated to certain services hosted in DMZ ?

Ex: You host web servers in a DMZ at the Internal Firewall, and let’s say a Web proxy for users web access in another DMZ on the same firewall. Web servers have to talk with ISP A, and wou want your users to browse the web through ISP B.

From a routing point of view, you must define the next hop based on the source, so policy based routing, which by experience on screenos and ios is not a valuable solution (side effects and/or difficult to maintain and troubleshoot at a certain point). Or maybe some equipment/firewall can have several routing instance / routing table and DMZs could use different ones ? Or maybe another solution that do not come to my mind ?

Of course, if you use DMZ on your external firewall, the problem is solved, with all the cons of doing this you have described.

Let me know what you think and thanks again for the article.

By: Duncan

Duncan — Sun, 30 May 2010 19:25:42 +0000

Excellent article and, nice illustrations!

The article was probably aimed at a logical design level above this but I am struggling to find a best practice guide for IP addressing in DMZs. In the preferred scenario (where the DMZ hangs off the internal firewall), would you give a server a private address range then NAT at the external firewall? For example, a web proxy for internal clients would be hosted in the dmz with a private IP address and then it would be NAT’d outbound?

Thanks,

Duncan

By: Greg Ferro

Greg Ferro — Fri, 21 May 2010 10:56:16 +0000

The internal firewall is the critical firewall since it connect your DMZs to your core network and thats where you end up doing ‘unusual’ technical things.. The external firewall is more likely to be a simple packet filter, or dumb firewall and this is well suited to the ASA function (as I’ve said before, Cisco doesn’t get Security).

The Juniper NetScreenOS is far superior to ASA and has better routing, easier administration, better performance. However. the NetScreen are being replaced with the new device and you may need to do some research to check it’s what you need. I have been told it’s just as good as NetScreen but I personally can’t say that I know.

By: JR

JR — Fri, 21 May 2010 10:46:46 +0000

Interesting read!

You state: “My recommendation is always to use a Cisco ASA as the external firewall and Juniper NetScreen as the internal firewall.”

I’d be interested in knowing why you recommend the above. Is there something inherently better about putting the ASA externally and the NetScreen internally?

I can understand recommending the ASA based on your Cisco background, but why do you recommend the NetScreen? Are there others you have tested?

Also, based on your reply to one of the comments, I get the impression you would have no problem putting an internal VLAN and DMZ VLAN on the same switch. Is this still your position as I didn’t pick up on that in the third Packet Pushers podcast?

Thanks

By: Ian

Ian — Fri, 18 Dec 2009 11:12:18 +0000

Hi Greg,

I disagree, firewalls in my opinion will always be the foremost solution in permiter/DMZ defence. Most of them also include IPS functionality as standard now and as I said above, application inspection. The ASA and Check Point firewalls will both restrict web traffic to RFC compliant HTTP browsing if configured to do so, they are far from being routers that don’t work with some value add.. in my opinion.

I now work for a large network integrator who are a gold/platinum partner across many networking vendors and at present the requirement for firewalls is far outweighing IPS appliances and when IPS is sold it’s often as a firewall software or hardware module. IPS will and is becoming more prevalent but as a complement to a firewall I believe.

Ian

p.s. The site is looking good.

By: Ian

Ian — Fri, 18 Dec 2009 11:04:17 +0000

“can eas≠ily do the same thing as my ASA-??55xxs but are also smart enough to notice that someone is run≠ning tel≠net on port 80″

The ASA will perform application inspection and ensure HTTP traffic is RFC compliant.. or have I missed something here?

Ian

By: Greg Ferro

Greg Ferro — Thu, 15 Oct 2009 12:41:53 +0000

Well, it also true that if the DMZ was on the external firewall then rules would have to be on two firewalls anyway. Further more, the rules from internal network are more complicated than those from the external side because of network management and administration.

While I don’t specifically agree that two firewalls are more secure than one, its a very common idea. The original purpose was to have each firewall controlled by a different team or people. In practice, this doesn’t work.

By: Egil Drillo Olsen

Egil Drillo Olsen — Wed, 14 Oct 2009 15:29:00 +0000

Why do you want to have the DMZ’s on the internal firewall, when you claim that two firewalls are not more secure than one? Isn’t the eksternal firewall waste then? All the rules on the eksternal firewall have to be applied on the internal as well?

By: Greg Ferro

Greg Ferro — Sun, 16 Aug 2009 09:49:07 +0000

John, its a good point and will write something up sooner or later.

By: Greg Ferro

Greg Ferro — Tue, 11 Aug 2009 08:32:22 +0000

The idea of using separate switches has its roots in the fact that VLAN’s are inherently insecure. You can configure switches to be secure however, which removes the risk. See this white paper published in 2003 http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf for full details about the underlying problem.

I believe that the Security Industry has not really grown up and moved on from 1999 when the issue was ‘publicised’. The IEEE clearly identified the problem in its documents and the risk was deemed acceptable. Since Cisco now has features that block VLAN hopping (VACLs, set Default Untagged VLAN, PVLANs etc etc) the risk is easily mitigated.

Exploiting VLANs requires that you compromise a server, elevate or gain root/administrator level access, download and install software and commence VLAN injection attacks. OK, not so hard but requires a high level of competence on the attacker’s part, AND a low level of competence on the administrator’s part.

The underlying problem is that Security People are often inflexible, and unreasonable. The ‘VLAN insecurity’ topic is like fundamental faith issue. I don’t agree with it, and don’t believe that selling separate switches (that are low MTBF, low reliability, low performance, and generally poor operational practice) improves the risk profile. It does shift the risk profile from the Security side to Operational side since multiple switches means more failures. I would always make the point that operational failure is a greater risk than security (your mileage may vary).

Although there are reasons where using individual switches might be a good idea, this would be a truly exceptional corner case, rather than standard best practice.

By: DaveC

DaveC — Mon, 10 Aug 2009 21:52:23 +0000

Hi Greg,

What is your view on separate physical switches vs vlans for connectivity within the various zones?

Vendor designs will often use separate switches at each zone but, especially with distributed HA firewalls, this can quickly add up to a lot of physical devices with only 2-4 active ports. However given a (correctly configured) outside firewall should it not be safe to assume that the control plane of any (correctly configured) switch behind it should be “secure”? It would therefore be valid to use the same physical switch for outside-failover/inside-failover/internaFWl-ExternalFW connectivity, segmented using vlans?

Effecitvely the FWSM uses the same switch for all functions, but I still read documents stating that seperate switches should be used.

I have read some interesting posts on your blog and would be keen to see your response.

Cheers
Dave

By: Greg Ferro

Greg Ferro — Tue, 04 Aug 2009 12:37:54 +0000

Robertr

You are right, and I did like the Cyberguard TSP before it got merged into Secure Computing and then merged into McAfee. Lets face it, you aren’t going to buy a proper firewall from McAfee are you. At the moment, firewalls are routers that don’t work with some value add around configuration management, and administrative management.

In the future, security isn’t in firewalls but in IPS and Threat Mitigation Systems. Which, I’m pleased to say, will upset most Firewall people out there today. They may have to learn something…..

By: robertr

robertr — Tue, 04 Aug 2009 11:54:38 +0000

As a former “pin dropping” firewall engineer who also used Checkpoint in the 90s ( I’m also a Checkpoint Certified Engineer ) I think you missed mentioning a technology that I first encountered in the Gauntlet product or FWTK – application aware/specific firewalls.
Products like those sold by Palo Alto Networks for instance can easily do the same thing as my ASA-55xxs but are also smart enough to notice that someone is running telnet on port 80 … not just the default http over port 80.
I don’t know what firewalls will look like in 5 or 10 years but I hope that they aren’t just more of the same ACLs – as the Black Eyed Peas sing “your so 2000 & late”

By: JohnH

JohnH — Mon, 03 Aug 2009 20:20:21 +0000

Hi Greg,
I’d like to hear your comments on load-balancers as front-end filtering devices. Depending on your needs, a hardened load-balancer which serves a limited number of Services eg. 80/443 can replace the need for a front end firewall. If you need a front-end loadbalancer anyway (and most orgs do) why incur the performance penalty of a firewall to do the same job?

I’m not suggesting the front-end firewall be removed entirely, but that it is not used to terminate inbound sessions.

/John H

By: Greg Ferro

Greg Ferro — Mon, 03 Aug 2009 12:43:28 +0000

Thanks very much.

By: Greg Ferro

Greg Ferro — Mon, 03 Aug 2009 12:41:55 +0000

I like the way you are thinking, and it’s sound reasoning. The problem is that having two different procedures for implementing DMZ is usually too complex for large companies to handle. In a large company, the operations team might have ten or twenty engineers who would make the DMZ changes, and probably only five of them who understand the differences. In the end, you should only choose one, either external or internal DMZ to keep it consistent and easy to support.

By: capcorne

capcorne — Mon, 03 Aug 2009 09:51:24 +0000

Hi,

First, I’m a fun of your schema

The DMZ place in your schema has, in my opinion, some advantages :
1- If you have a heavy Ext DMZ traffic you may prefer to not overload the internal firewall with such noisy traffic.
2- The DMZ servers are subject of security threats, If one of them is hacked, I suppose the external firewall is not doing the job correctly, then it’s a good idea that the internal firewall handls DMZ Internal traffic.

Have a nice day

By: pokey

pokey — Mon, 03 Aug 2009 00:45:57 +0000

Hi,
I believe that the location of the DMZ’s will be dependent on their use, i agree that the dmz’s should not sit across the two firewalls and also that the hosts should never be able to bridge, ie hosts should only ever have one interface linking to one firewall. That being said if you have a multi-tiered firewall complex, i believe that you should design the dmz’s accordingly, ie your first tier of firewall could be used to protect connectivity, so all the dmz’s within this tier separate all your connectivity ie internet, 3rd party, vpn’s etc.
Your next tier can be your front end tier, eg,all your presentation servers, ie web servers etc. You might even have 3rd tier, backend servers. Placing your dmz’s all within the “internal” zone limits your control to some respects. Logically you can achieve the same amount of control just using a single tier with lot of dmz’s if you’re on a budget and cannot afford multi-tier-multi-vendor.