RE: DMZ Setup Question

RE: DMZ Setup Question

[Derick Anderson]

Inline... 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jay Zorzi
> Sent: Wednesday, November 30, 2005 11:22 AM
> To: netfilter@lists.netfilter.org
> Subject: DMZ Setup Question
> 
> My colleague and i are having a disagreement about our 
> network firewall and routing policies.  First the setup information.
> We have a Bridge Router running iptables and ebtables as our 
> external firewall.  Behind that we have a DMZ that contains 
> machines with valid external addresses.  Between the DMZ and 
> our internal network there is another firewall.  Our choke 
> firewall.  The choke firewall is doing NAT in order for our 
> internal network to surf the Internet but for our DMZ 
> machines to talk to our internal machines we are just using 
> routing, no NAT.

When you say DMZ machines are talking to internal machines, do you mean
that you've set up routes to the choke firewall for your private subnet
on the DMZ machines?

> Now here is the disagreement.  Because the internal machines 
> are using a private network address my colleague is concerned 
> that we are violating Internet rules/etiquette by having this 
> internal private ip's routing to our DMZ machines that have 
> valid Internet IP's.  He is also suggesting that using nat is 
> more secure.
> 
> Can someone help us settle this disagreement?

I can't speak to Internet etiquette, but clearly you are following the
rules else things wouldn't be working. It is not as though what you are
doing will "break the Internet." NAT does not make anything more
"secure", it just simplifies routing. You can have a wide-open system
with NAT or a closed system using routing.

My inclination would be to use NAT (MASQUERADE) for your internal hosts
just because it makes things simpler (not necessarily more secure) and
your DMZ doesn't need routes to your internal network. Some may say then
that simpler is more secure and I agree, but I still say that NAT is a
routing tool and not a security tool.

Derick Anderson

Re: DMZ Setup Question

[/dev/rob0]

On Wednesday 2005-November-30 12:32, Derick Anderson wrote:
> My inclination would be to use NAT (MASQUERADE) for your internal
> hosts just because it makes things simpler (not necessarily more
> secure) and your DMZ doesn't need routes to your internal network.
> Some may say then that simpler is more secure and I agree, but I
> still say that NAT is a routing tool and not a security tool.

The only potential security issue is one that SHOULD have already been 
addressed by disabling packet forwarding on the DMZ machines, and that 
is that an upstream attacker might route packets to your LAN machines 
using [a] DMZ machine[s] as gateway.

Otherwise I agree with you and Derick. I prefer routing when it's a 
possibility.

Even without the LAN routes the DMZ machines should not allow packet 
forwarding.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

DMZ Setup Question

[Jay Zorzi]

My colleague and i are having a disagreement about our network firewall
and routing policies.  First the setup information.
We have a Bridge Router running iptables and ebtables as our external
firewall.  Behind that we have a DMZ that contains machines with valid
external addresses.  Between the DMZ and our internal network there is
another firewall.  Our choke firewall.  The choke firewall is doing NAT
in order for our internal network to surf the Internet but for our DMZ
machines to talk to our internal machines we are just using routing, no
NAT.

Now here is the disagreement.  Because the internal machines are using a
private network address my colleague is concerned that we are violating
Internet rules/etiquette by having this internal private ip's routing to
our DMZ machines that have valid Internet IP's.  He is also suggesting
that using nat is more secure.

Can someone help us settle this disagreement?

Re: DMZ Setup Question

[Nick Drage]

On Wed, Nov 30, 2005 at 11:22:00 -0500, Jay Zorzi wrote:

Left in for context....

> My colleague and i are having a disagreement about our network firewall
> and routing policies.  First the setup information.
> We have a Bridge Router running iptables and ebtables as our external
> firewall.  Behind that we have a DMZ that contains machines with valid
> external addresses.  Between the DMZ and our internal network there is
> another firewall.  Our choke firewall.  The choke firewall is doing NAT
> in order for our internal network to surf the Internet but for our DMZ
> machines to talk to our internal machines we are just using routing, no
> NAT.

Onwards....

> Now here is the disagreement.  Because the internal machines are using
> a private network address my colleague is concerned that we are
> violating Internet rules/etiquette by having this internal private
> ip's routing to our DMZ machines that have valid Internet IP's.

Not at all.  It may technically be against an RFC but you're not
affecting anyone's routing tables using this method so it's not a
problem.  I've seen large ISPs use such internal address ranges on their
networks before so I wouldn't worry.

> He is also suggesting that using nat is more secure.

It is, sort of.  Without NAT if someone compromised a DMZ box and
somehow your choke firewall permitted inbound connections then the
attacker couuld have a go at your internal hosts from the compromised
host.

If you used NAT it would mean someone could compromise a box in the DMZ
and still not get to your internal hosts, unless you specifically
forwarded inbound connections to a port on the external interface of the
choke firewall to an internal host. 

So without NAT you have to do something dumb to be vulnerable, with NAT
you have to do something dumber.  Seeing as things work at the moment
I'd be very tempted to leave things as they are.

> Can someone help us settle this disagreement?

Hope the above helps :)

-- 
deviants are sacrificed to increase group solidarity
Jenny Solzer