In modern Enterprise networks, you typically have many clusters of firewalls protecting assets in your network. Since we use two or more layers of firewalls, we can put our DMZ for intermediate security zones in different places in our network. Lets gather together the different options and consider the merits or not, and sometimes how they ‘self-build’.
Zones and Separation
For many networks, you need to separate different areas of the network. When separated for security reasons, these zones typically have a firewall put in to provide security and control that traffic that flows between these. It gets more complicated when there are services that needs to belong to two or more zones and so we have DMZ ((de-militarized zones)). DMZ have been around for along time, but there are many more choices for implementation.
Lets look into some of these implementation and design ideas.
For this document, I will focus on just two zones, an external and internal. The external zone will be untrusted and where evil must be stopped (like the Internet for example), and the internal zone is where the users are.
Of course you can have more than one Internal Zone or more than one External Zone.
For a normal network, the traffic flows could be demonstrated to go between all zones at any time.
But when you add a firewall, security is enforced.
Two Firewall Layers
For all large companies, it is policy to use two firewalls for the gateway to the Internet. This fundamental idea is a long held belief in the security community that firewalls aren’t really secure. It’s probably is based on the fact that Checkpoint firewalls, the only firewall vendor at the time, had a major problem in the late nineties which meant they didn’t actually work, and could be easily bypassed. Ever since this time, security policy has mandated the use of two firewalls to remove this risk [slider title=”but question of whether it is more secure remains unclear”]One of my favourite ways to upset security consultants from the major global firms, is to demand that clearly document how much more securetwo firewalls would be. For example, if I have a Cisco ASA and Nokia/Checkpoint, is it ten percent better ? Twenty percent ? Of course there is no answer for this, and the contortions that they will go to justify the statement is quite delightful. Sadly, most of these so-called security consultants have never even thought about it.[/slider]
What about product selection ?
For most people the choice has already been made as the firewalls have been in place for many years and then had the external firewall grafted in (or less commonly, the internal firewall). My recommendation is always to use a Cisco ASA as the external firewall and Juniper NetScreen as the internal firewall.
What ? No Checkpoint ?
Definitely not. The capital cost, operational cost and stupid-assed complexity of a Checkpoint/Nokia solution is horrendous. Not only are they expensive to buy, but very expensive to operate because they are so complicated. I haven’t seen a ‘proper and secure’ Checkpoint firewall in large companies because no one can make them work properly. As soon as problems start, all of the security features are turned off to get things working, and then they are never turned back on because of change control. This makes them the worst firewall product around.
And while it’s true that you COULD make Checkpoint secure, in the real world, you don’t want to be hiring Checkpoint experts just to manage firewalls, you need network people who are multi-skilled and part of cross-functional multidiscipline team. The days of the “firewalls only” team have passed. People who manage Checkpoint firewalls will need to be completely focussed on that one product, and will not usually have enough time to work on other parts of the network. This is poor value for money for most organisations.
Location – Where do you put the DMZ ?
Now DMZ are often specified by security people as a intermediate security zone for hosting systems that need to exposed to external parties, but also need to send data to the internal network. In a dual layer firewall, you could choose create a DMZ in a number of the different places.
To create a DMZ you need to
- create some VLAN’s on your switch infrastructure
- an IP interface on Firewalls with an address from a IP Subnet that you have allocated
- firewall rules that permit / deby traffic to and from the DMZ
Lets look at the different options for where you might want to locate the DMZ
DMZ on the External Firewall
You could choose to put the DMZ on the external firewall, like so:
It is my opinion that this is probably not the right place. If you believe in having two firewalls for security, then putting your services behind a single firewall from the external and untrusted zone is not consistent. In fact, you see this reasonably often when the external firewall was the ‘original’ firewall, and the internal firewall was added later.
DMZ on the Internal Firewall
You could choose to the put the DMZ on the internal firewall, like so:
The reasons that I most prefer this design is:
- traffic from the external and untrusted source passes through two firewalls thus meeting the intention of dual firewalls.
- traffic to the internal network is always more complicated, and has more flows. Consider all of the administration traffic to the servers in the DMZ. Therefore, passing internal traffic through a single firewall reduces the cost of ownership by reducing the numbers rules needed in the firewalls.
- its easier to understand. Because all external flows pass through the external firewalls, it is consistent with operational troubleshooting.
DMZ between the Firewall’s
This is starting to get clever, and is actually very common. You see, once you start adding DMZ’s to your network, you can’t have just one, you always end up with a quite few.
This type of DMZ Design looks really attractive, and people without a lot of design experience think that this is simply brilliant. I mean, it looks really marvellous when you draw it, and and it JUST LIKE THE RIGHT THING. Here is what is wrong with this idea:
- Routing – the servers in the DMZ need to have routing tables to decide which interface to send traffic. My life is too short to spend time explaining routing to server engineers (even when Microsoft includes it in their curriculum).
- Routing – on the firewall. Your firewall is not a router, and should’nt be used like one
- Testing and Service – you cannot access the outside DMZ interfaces from the internal network without really painful procedures
Accessing the outside interfaces
Let me draw accessing the outside interface. After all, you are monitoring these services for availability aren’t you ?
As you can see, sending data to that external network means quite a lot of work. Routing, firewall rules and this all adds up to something that can easily go wrong and costs extra money to build and maintain.
DMZ bridges from the External to the Internal (Servers as a Firewall)
Now this idea usually comes from someone on the server team, because they sometimes think that servers are a firewall. In fact, the entire security world believes that servers are the very thing we are trying to protect and that operating systems such as Windows and Linux are not to be trusted. Still, I’ve seen it a few times and it’s always been a bad idea.
So, some recommendations.
For the reasons I have outlined, the DMZ on the Internal Firewall makes the most sense. It’s easy to operate, and keeps the complexity on the internal firewall. I haven’t discussed it here, but it also works better when you have HA firewalls.