Re: Multiple nics on inside of DMZ
On Thu, Nov 14, 2002 at 01:55:59PM -0600, Miller, Jeff - x3328 wrote:
> I'm currently learning my way through a Netfilter book and need to design a
> firewall with a DMZ. It basically involves two multihomed firewalls: one
> connected to the LAN, the other to the router, with a DMZ in the middle.
> Pretty standard.
yup. Not by chance "Building Internet Firewalls"? That's a damn good
> A weird addition I came up with involves having several nics on the 'DMZ
> side' of either firewall. All machines within the DMZ would be multihomed,
> with two point-to-point networks (255.255.255.252 subnet) connecting it to
> both firewalls. I figured this was more secure; if a machine in the DMZ got
> owned, all the other machines are on they're own network and much harder to
> get to from the owned machine. If everything in the DMZ was simply connected
> by switch, I don't think it'd take long for a good hacker to discover and
> mess with the other machines as well (especially w/o the firewall to protect
That's why you not only have packet filters on the routers but also
on each of the bastion hosts inside the DMZ.
By doing this you prevent the bastion hosts from messing with each
other, the routers from messing with the bastion hosts and so on...
Lots of packet filters, but definitely worth the work ;-)
> Although I'm new to netfilter I haven't found anything that will keep this
> idea from working. However it is a lot of setup, and I've never really heard
> of anyone doing this before (except maybe on small firewalls where the DMZ
> is a single port on a lone firewall). Further complicating things is the
> fact that there will be around a dozen machines in the DMZ, requiring
> multiple quad NIC's. Any feedback on this crazy approach would be
> appreciated, thanks!
The lone-port-DMZ is what we had before - and we have found that a
proper DMZ with two Routers connected to it results in more packet
filters that need to be configured, but making each of them quite
The approach of a DMZ for each bastion host is - as you said - quite
NIC-consuming and only interesting if you really expect one of the
bastion hosts to be compromised and have unencrypted data exchanged
with another bastion host that justifies the effort.
,``o. OpenBSD - Debian GNU/Linux - Solaris >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <email@example.com> /\\
',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V