Is a DMZ necessary?

I'm revising the Internet connectivity arrangements in my company and am wondering whether to implement a DMZ.

I've seen a few comments on the Microsoft ISA Configuration newsgroup about a DMZ being unncecessary with ISA Server 2004. I have inherited an ISA Server configuration which I'll be continuing to support. For example, these by Zachary Gutt, Technical Product Manager (ISA Server) in Feb 2003:

"A DMZ was beneficial when the servers in the DMZ did not need to communicate with the servers in the LAN. However, today this is not the case. Web servers now communicate with SQL backends.... To allow all of this communication through FW #1, so many holes need to be opened in that firewall that it just becomes Swiss cheese (i.e. it's not really doing anything). ...Many consultants I talk to today are saying that companies are moving back to these "flat" deployments, meaning they don't have DMZ's. This drastically reduces complexity, and is equivalently secure, or more secure."

I see where Zachary Gutt is coming from but isn't it the case that in a Windows environment, if the web servers were on a DMZ, they could be removed from the domain for example and hence there would be less of a risk if they were compromised, ie, if an intruder compromises the DMZ, they don't automatically gain access to the internal network? Isn't it also true that while certain ports would need to be opened up on the firewall to allow communication with the backend SQL Servers, the firewall could certainly restrict the number of ports to a minimum?

Here's another comment from Phillip Windell:

"So as far as I am concerned the only true, solid, "real" DMZ is the Back-to-Back DMZ. but even then I don't really like them because I think they are just and extra needless layer of complexity that isn't really required to make the LAN secure and they cause a lot of additional problems when trying to Publish internal resoureces to the Internet or perform VPN solutions."

Reply to
Paul Welsh
Loading thread data ...

The main purpose of a DMZ in your situation is to limit the ability of the server to a) be compromised from the internal machines and b) to attack the internal machines if it is compromised.

Putting it in a properly configured DMZ allows only the absolute minimum communication in AND out from the server.

If your firewall has sufficient bandwidth capability, there is no reason not to put an internal server in a DMZ, but many low-end firewalls can't handle doing their job at LAN speeds, hence the (misguided) recommendation above.

A good firewall will do much more than just stop unauthorized traffic in and out, but it will actually recognize nefarious in-band traffic, that is, dangerous payloads in allowed ports and protocols, such as SQL attacks. These types of firewalls are even more useful to your server and network security when properly utilized like this with a DMZ to protect the server.

You can have a windows server that is part of a DMZ and also your domain, but then you will need to open up the domain communication ports between the DMZ server and the PDC. Which does increase your risk of a compromise of some certain types if your PDC is also compromised, but a greatly, greatly reduced risk than having your servers fully accessable to everything.

-Russ.

Reply to
Somebody.

The O.P. did not say that any individual products would influence the decision. Only that he was able to find some information from these product's newsgroups. Entirely different than your apparent assumption above.

The quoted text that the O.P. provided included rational for their position. You include none for yours other than "I don't agree at all". Weak.

-Frank

Reply to
Frankster

You cannot explain *why* you take this different view than the one presented by the O.P.? Is it just your feeling? Or what?

-Frank

Reply to
Frankster

I think you mean *external* machines here... right?

Yes.

You don't need a DMZ to do that, do you? You can have exactly the same limitations on communitarian from/to the LAN from that machine whether it is in a DMZ zone or not, right? Can you offer any reason why a DMZ is better?

I see NO mention whatsoever of speed having any relationship whatsoever with those recommendations (actually ideas, not recommendations) in the original post. Are you just taking this opportunity to slam firewall products selling for less than $5000?

Agreed. And that "good" firewall you are talking about will do just as good of a job on a machine inside or outside of a DMZ zone. Right?

You give no rational about the DMZ being better. Just a gut feeling?

If only necessary communication is opened from the server in question to the LAN, what difference if the server is in or out of a DMZ? Can you explain. Either way you can limit communication to the same ports/services...right?

-Frank

Reply to
Frankster

Paul, I believe these are all very good points. The main point being, don't set up a DMZ unless you know precisely what the benefits are. And I don't mean a gut feeling, or doing so just because it seemed like a good idea at the time. Or... don't do it just because you can (very common mistake of technology-junky IT folks).

I tend to agree with the authors you quoted. Bottom line, I believe a DMZ is most useful (very useful actually) if you can isolate the DMZ machine from the LAN. But if you require a fair amount of communication from the LAN to the DMZ, it sort of defeats the purpose. The same limitaion can be put on the machine whether it is in a DMZ or not.

Anyway, put my vote with the two responses from the IAS group above. Incidentally, I don't use IAS, but I'm just talking philosophically. I'm not specifically considering any supposed capabilities of IAS.

-Frank

Reply to
Frankster

Leythos, I can (surprisingly! :) ) agree with your implementation. If you restrict the DMZ machine the way you describe, a DMZ is a good choice, IMO. It didn't sound like your implementation strategies would work for the O.P. I dunno... maybe.

-Frank

Reply to
Frankster

Put your email and web servers in the dmz and then make sure you make tight rules/policies.

Reply to
Dan

The zone concept has nothing to do with what products you're working.

I don't agree at all.

Yours, VB.

Reply to
Volker Birk

We tend to always put nodes that provide PUBLIC services in the DMZ - a DMZ being a different network than the LAN network, not a IP in the same network as the LAN.

We also tend to have heavy communications between the PUBLIC servers and at least one LAN server, but, we limit it to the specific communications port needed and don't allow blanket connections between the DMZ and LAN.

As an example, we would put the database server (oracle or ms sql) in the LAN (or behind a second DMZ) and then map the DB communication port for data from the DMZ Server IP:PORT to the LAN (or second DMZ) database server IP:PORT. We don't allow things like Windows Authentication to work between the LANDMZ in either direction.

We do this for other server types too - including email servers that provide POP/IMAP or OWA access. These servers don't access the LAN, and since we control the user name and password, it works very nicely at keeping a compromised server from reaching the LAN.

Reply to
Leythos

I was about to, based on your comment, until I read this. Not sure I want to now.

-Frank

-------------------- Warning for WinXP Service Pack 2 users!

OE-QuoteFix uses external files to color quoted material and to replace emoticons with icons. After installing WinXP SP2, OE is configured by default to block automatic downloads of external content. That means the coloring and icons features in OE-QuoteFix will not work. If you wish to use these features, you must disable the block in OE under Tools| Options| Security.

Furthermore, SP2 makes changes in OE's Read all messages in plain text feature. Instead of using an IE control, it now uses the RichEdit control. OE-QuoteFix will not function at all if you enable the plain text feature in OE under Tools| Options| Read.

---------------------

Reply to
Frankster

Oh, I dunno... none of the reported "problems" with OE have ever bothered me. Don't know if I really have the enthusiasm or time to install/maintain a third party newsreader on all the machines I use.

-Frank

Reply to
Frankster

[snipped for a broken usenet client]

Frank - have you considered installing the Quote Fix patch for Outhouse Express? It will remove the "Signature" part of posts when you reply to them.

I didn't follow back far enough to see what he needed, I only wanted to provide some of the good reason to have a real DMZ and why.

Reply to
Leythos

May I suggest that you try Super Gravity as a free text type Usenet client? It's a great application and I've use it for more than 8 years and it doesn't have any of the problems that OE has.

Reply to
Leythos

BTW: _please_learn to control your ego! Thank you!

-Frank

Reply to
Frankster

No, I don't. That's the firewall's job, and if it's properly configured, the incoming and outgoing rules for the server should be basically the same whether your server is in the DMZ or the Internal zone. But, if your server is *not* in a DMZ, if a user, say, brings in an infected laptop, than your sever is completly vulnerable to it. If you put your server in a DMZ, you can put controls on the internal machines' capabilities of communicating with it, just as if they were outside machines.

How are you going to stop the infected laptop from going to town on your server? By hardening it? By that logic, you should put your server on a raw internet feed. Putting it on a DMZ allows you to use your firewall to protect your server from inside machines too.

No, I'm just point out the very obvious fact that if you try to put your database server behind a firewall that cost you $1000, it is not going to do Intrustion protection at 100Mbps, and will therefore severely limit your server bandwidth to your internal users. That's what the original recommendations said, putting your firewall in a DMZ will hurt it's performance. But that's only because the firewalls they are thinking about are insufficiently powerful to handle such traffic. You an buy firewalls that will handle the 100Mpbs you need, or whatever lower number your're comfortable with, and will therefore not introduce any performance problems into your network when you put your server behind them using a DMZ.

Again, you can't protect it from internal machines without using a DMZ. That's the point of the DMZ. Ok?

Hopefully by now you get the idea, I won't repeat myself again on that point.

That would be about, what the 5th time? Surely by now you see the issue.

-Russ.

Reply to
Somebody.

:) Man, I dunno... some folks sure get carried away with their presumed author status on these boards, I think. LOL! That would be a shame if he killfiled me :)

-Frank

Reply to
Frankster

BTW: _please_ learn to quote! Thank you! The opposite is true; he referenced a special product.

More weak: to answer here, a quoting of what you're referencing would help.

Yours, VB.

Reply to
Volker Birk

Not if they're doing anything more interesting like Intrusion Prevention or Gateway AntiVirus. Simple port filtering can often be done at those rates -- but I think if you check the specs, you'll be surprised how many of them are *not* capable of 100Mpbs of firewall throughput, even if they do have 100Mbps interfaces.

Why don't you cite us some examples, of your sub $1000 firewall that can do

100Mbps of firewall throughput?

-Russ.

Reply to
Somebody.

I hate to say this, but many firewalls, not those cheap NAT routers, will easily do 100mbps between jacks on the firewall while protecting the network.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.