RE: Multiple nics on inside of DMZ
Thanks for all the replies!
The book is "Linux Firewalls-2nd ed". With iptables!
Someone else had mentioned host-based firewalls too. Thing is most of the
machines in the DMZ are Windows based, many with IIS. I'm not getting into
details since I don't want a big windows-linux war, but simply put I'm going
to concentrate on securing the DMZ. Plus the IIS servers are not my
responsibility and I'd rather not touch them.
Yet at that, I planned on running filter policies on the few Debian
inter-dmz hosts anyway.
From: Arne P. Boettger [mailto:firstname.lastname@example.org]
Sent: Thursday, November 14, 2002 4:16 PM
Subject: Re: Multiple nics on inside of DMZ
On Thu, Nov 14, 2002 at 01:55:59PM -0600, Miller, Jeff - x3328 wrote:
> I'm currently learning my way through a Netfilter book and need to
> design a firewall with a DMZ. It basically involves two multihomed
> firewalls: one connected to the LAN, the other to the router, with a
> DMZ in the middle. Pretty standard.
yup. Not by chance "Building Internet Firewalls"? That's a damn good book...
> A weird addition I came up with involves having several nics on the
> 'DMZ side' of either firewall. All machines within the DMZ would be
> multihomed, with two point-to-point networks (255.255.255.252 subnet)
> connecting it to both firewalls. I figured this was more secure; if a
> machine in the DMZ got owned, all the other machines are on they're
> own network and much harder to get to from the owned machine. If
> everything in the DMZ was simply connected by switch, I don't think
> it'd take long for a good hacker to discover and mess with the other
> machines as well (especially w/o the firewall to protect them).
That's why you not only have packet filters on the routers but also on each
of the bastion hosts inside the DMZ. By doing this you prevent the bastion
hosts from messing with each other, the routers from messing with the
bastion hosts and so on...
Lots of packet filters, but definitely worth the work ;-)
> Although I'm new to netfilter I haven't found anything that will keep
> this idea from working. However it is a lot of setup, and I've never
> really heard of anyone doing this before (except maybe on small
> firewalls where the DMZ is a single port on a lone firewall). Further
> complicating things is the fact that there will be around a dozen
> machines in the DMZ, requiring multiple quad NIC's. Any feedback on
> this crazy approach would be appreciated, thanks!
The lone-port-DMZ is what we had before - and we have found that a proper
DMZ with two Routers connected to it results in more packet filters that
need to be configured, but making each of them quite intuitive.
The approach of a DMZ for each bastion host is - as you said - quite
NIC-consuming and only interesting if you really expect one of the bastion
hosts to be compromised and have unencrypted data exchanged with another
bastion host that justifies the effort.
,``o. OpenBSD - Debian GNU/Linux - Solaris >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <email@example.com>
',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact