different DMZs which is better?

different DMZs which is better?

[Mike]

Hey guys Im deciding how I want to implement a DMZ for my company can anyone
tell me the pros and cons of my DMZs below? should I got with a routable
hosts in my DMZ and just filter out any port I don't want open or just port
forward over certain ports and use IP alias?

Thanks,
Mike

P.S excuse the art below I know it sucks.


                                    cisco
                                        |
                                        |
                                        |
                                     eth0
DMZ inet IPs(eth1)---Netfilter----private LAN (eth2)



                                         cisco
                                             |
                                             |
                                             |
                                          eth0
DMZ private IPs(eth1)---Netfilter----private LAN (eth2)

Re: different DMZs which is better?

[Cedric Blancher]

Le lun 13/01/2003 à 15:28, Mike a écrit :
> Hey guys Im deciding how I want to implement a DMZ for my company can anyone
> tell me the pros and cons of my DMZs below? should I got with a routable
> hosts in my DMZ and just filter out any port I don't want open or just port
> forward over certain ports and use IP alias?

The resulting architecture will provide the same result. Forwarding a
port to an IP or opening one to it is mainly the same in term of
security.

What changes between the two architectures, is the fact you do not have
to split your public addresses pool when you do NAT. So it can save
addresses if you're short, because all used public IPs will be aliased
on your firewall and simply NATed to a private addresses DMZ.

By the way, your filtering policy must not depend on the architecture
you'll choose. NAT does not constitute a security mecanism in you case,
so you have to consider it just as a trick, not a security feature.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: different DMZs which is better?

[Filip Sneppe]

On Mon, 2003-01-13 at 15:28, Mike wrote:
> Hey guys Im deciding how I want to implement a DMZ for my company can anyone
> tell me the pros and cons of my DMZs below? should I got with a routable
> hosts in my DMZ and just filter out any port I don't want open or just port
> forward over certain ports and use IP alias?
>
Hi Mike,

Using NAT in your setup is usually a good way to save IP 
addresses. If you add one or more static routes to the
Cisco router, you don't even have to add aliases to eth0
on the Linux firewall. It'll also save you from fiddling
around with things like proxy arp and subnetting your
IP address range, which could get pretty hairy.

Performance-wise, you shouldn't notice any difference when
NAT'ing IP addresses in all but the most serious setups
(how many hosts are we talking about ? I am assuming
anything between 1 to 32 DMZ hosts. And what bandwidth
do you have available).

One thing to watch out for with NAT is that certain protocols
are difficult to firewall/NAT. The really important ones
are fully covered in the kernel (FTP, IRC), and there are
a bunch of additional nat/conntrack helpers in patch-o-matic
to cover most protocols, but if you want to run some
weird protocol behind a NAT box, you may encounter some
difficulties. Again, things like HTTP, FTP, IRC, DNS,
POP3, IMAP, etc. will work just fine with iptables+NAT.

One possible disadvantage of NAT is that it may render
your network topology a bit less clear/intuitive for some
people...

Hope this helps... 
 
Regards,
Filip

Re: different DMZs which is better?

[Filip Sneppe]

On Mon, 2003-01-13 at 17:05, Filip Sneppe wrote:
> addresses. If you add one or more static routes to the
> Cisco router, [snip]

I meant "*on* the cisco router".

Re: different DMZs which is better?

[Mike]

I talked with my ISP and they will route me a /30 for my firewall and a /28
for the DMZ segment. The DMZ will be hosting a webfarm does anyone have a
list of things I should to the box besides filtering rules? like how I can
stop directed broadcasts etc... I am going to accept Established and New
connections in the forward chain going to the webservers and drop invalid.
Is that ok for webservers or should I also accept related? Im only going to
open up port 80 to the webservers and drop everything else.

Thanks,

Mike
----- Original Message -----
From: "Mike" <mikeeo@msn.com>
To: <netfilter@lists.netfilter.org>
Sent: Monday, January 13, 2003 9:28 AM
Subject: different DMZs which is better?


> Hey guys Im deciding how I want to implement a DMZ for my company can
anyone
> tell me the pros and cons of my DMZs below? should I got with a routable
> hosts in my DMZ and just filter out any port I don't want open or just
port
> forward over certain ports and use IP alias?
>
> Thanks,
> Mike
>
> P.S excuse the art below I know it sucks.
>
>
>                                     cisco
>                                         |
>                                         |
>                                         |
>                                      eth0
> DMZ inet IPs(eth1)---Netfilter----private LAN (eth2)
>
>
>
>                                          cisco
>                                              |
>                                              |
>                                              |
>                                           eth0
> DMZ private IPs(eth1)---Netfilter----private LAN (eth2)
>
>
>
>

Re: different DMZs which is better?

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1365 bytes --]

On Mon, Jan 13, 2003 at 02:15:34PM -0500, Mike wrote:
> I talked with my ISP and they will route me a /30 for my firewall and a /28
> for the DMZ segment. The DMZ will be hosting a webfarm does anyone have a
> list of things I should to the box besides filtering rules? like how I can
> stop directed broadcasts etc... I am going to accept Established and New
> connections in the forward chain going to the webservers and drop invalid.
> Is that ok for webservers or should I also accept related? Im only going to
> open up port 80 to the webservers and drop everything else.

  Are the web servers going to be setup to do reverse DNS lookups on
their connections?  Usually best not to, as it can be quite a
performance hit for busy servers, but bear this in mind for access rules
if restricting any part of the webspace by client host, as you'll only
be able to do that on IP.
  If you are allowing such reverse lookups then obviously the DMZ needs
to be able to access at least one DNS server, probably the firewall box
acting as a forwarder, or just plain doing the lookups itself.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: different DMZs which is better?

[Joel Newkirk]

On Monday 13 January 2003 11:05 am, Filip Sneppe wrote:

> One possible disadvantage of NAT is that it may render
> your network topology a bit less clear/intuitive for some
> people...

And some people would consider this a job security advantage... :^)

With good documentation and liberal comments in the firewall script this 
shouldn't be an issue, though, at least for the people who need to 
understand it anyway.  Just write up some notes on the setup, print out 
them and the firewalls script, and keep them in a 3-ring binder.  The 
apparent organization of everything usually looks good, and almost 
always makes return engagements much easier.  (6 months from now 
something that made perfect sense today may look completely cryptic)

j

Re: different DMZs which is better?

[Filip Sneppe]

On Mon, 2003-01-13 at 20:15, Mike wrote:
> I talked with my ISP and they will route me a /30 for my firewall and a /28
> for the DMZ segment. The DMZ will be hosting a webfarm does anyone have a
> list of things I should to the box besides filtering rules? like how I can
> stop directed broadcasts etc... 

You may want to install a package called "systune" - it's very
useful for this kind of tuning. Alternatively, you could prepend
or append your firewall script with these settings.

Check out Oscar Andreasson's sysctl tutorial for all the
relevant info on network /proc settings.

http://ipsysctl-tutorial.frozentux.net/

Some things that spring to mind:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

> I am going to accept Established and New
> connections in the forward chain going to the webservers and drop invalid.
> Is that ok for webservers or should I also accept related? Im only going to
> open up port 80 to the webservers and drop everything else.
>
For port 80/http traffic, "RELATED" doesn't really have any meaning,
except that ICMP error messages can also be related to a TCP or UDP
traffic flow, things like ICMP "fragmentation needed" messages.
So you may actually want to allow RELATED traffic too.

Regards,
Filip