 DanielPremium,MVM
join:2000-06-26
San Francisco, CA
| DMZ Basics (revised)... Ok, the term 'DMZ' gets thrown around pretty lightly at times so I am going to put down what I believe to be the basic concept and let people add to it as they see fit.
This was originally a response to a DMZ related thread in the Networking forum, but I thought it was decent enough to post here on its own. Hope I was right. 
First of all, the name comes from the hostile border between two countries (eg north and south Korea) and in the computer world is a separate network that is more trusted than the Internet, but less trusted than the internal LAN. In short, it is a buffer zone between the Internet and your private LAN. (Note: Microsoft calls this a 'Screened Subnet') Many SOHO router vendors have taken to using the term 'DMZ' as a way to sell their products. In fact, those products are simply bypassing their filters and NAT protection when they set up a 'DMZ' and forwarding all traffic to a 'default host'. This should not be confused with a true DMZ.
said by phriday613:
--------------------------------------------------------------------------------
DMZ stands for De Militarized Zone.. it is used with firewalls..
you use 3 network cards..
1 for the incoming WAN (gets your ip address from the Broadband company through whatever means PPPoE, PPPoA, etc).
1 for the internal network, using NAT for the unroutable IP addresses like 192.168.0.1+ or 10.0.0.1+ (this is where you can plug a switch or hub into it for multiple computers)
1 for the DMZ (this is where you put your webservers, ftp servers, mail servers, game servers, etc) its like an outside place, but sorta inside too.. Made to be secure, not allowing people to hack int your internal LAN, but able to view webpages, get files, etc.
--------------------------------------------------------------------------------
This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of all three networks to lie in one system. If your machine that has all three of those NICs in it is compromised, so is your DMZ and your private network. Basically, you are allowing the Internet to 'touch' the very same machine that determines how secure your internal LAN is, and this is not a good thing.
A better way to do this is with three separate networks. The way this is accomplished is with two 'firewall' devices - one on the border of your WAN, and one on the border of your internal network. Let us say that you have a broadband router and a Checkpoint firewall. You would put your router on your border (right behind your modem), and you connect the LAN side of that router to a hub or switch. To that hub or switch (your DMZ hub/switch) you use one of the ports to connect your bastion host/public server. This is the machine that is running the service that you want people to be able to connect to from the outside. This may be a website, an FTP server, or a multiplayer game like WCIII or Counterstrike. You want this machine to be hardened to some degree, meaning that it is all the way patched and is not running anything that is vulnerable (although the border device affords it some protection via NAT). As a general rule though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place.
Now, to that same switch you are going to attach another network cable that goes to your Checkpoint firewall. Your firewall (this is going to be the better of the two firewalls that you have, so if you have a Checkpoint and a Netgear you should use the Netgear on the border and the Checkpoint box on this one) is going to have two NICs in it - one for the DMZ side and one for the private LAN side. Connect the cable to the DMZ side of the internal firewall, and on the other side of the firewall (the private LAN side) you connect a cable to another hub/switch that all of your LAN computers will connect to.
If that was confusing, think of it this way:
------------
Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
...and...
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems
------------
What this does is allow you to completely segment your network in terms of trust. You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate them to you. So unless you start a web or FTP session to your DMZ, no traffic from that network is allowed onto yours. The same goes for the Internet. This is accomplished via yet another layer of NAT and more importantly, SPI. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN.
What does this get you? Why do it? Because if someone is able to compromise your webserver (let's say it was IIS and it got rooted because it wasn't patched) they can't do much from the DMZ. You don't trust anything in it as far as you can throw it, so when they think that they just scored big by getting one machine so they can branch out to another, they are actually out of luck because they are on an untrusted network that is outside of your real firewall.
This is a DMZ.
The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So if you are only running a web server then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are stopped dead at the border router/firewall.
------------
So, imagine someone is scanning you from the Internet when you have this configuration. They use whatever program and find port 80 open. Most kiddies would assume that you are running something on your public IP address, like you have your main browsing client sitting right on the Internet and it is running a web daemon. So, they connect to it and get a web page and then scurry to dig up their favorite http exploit tool that someone else wrote. What they don't know is that they are connecting to a private IP in your DMZ. It has no real IP address as far as the Internet is concerned. If you don't pass that port at the border router then they won't see anything at all when they scan you. Now, if they run a working exploit and get root on your webserver they are going to jump for joy; the thing is, they have little to celebrate about. All they have is a barebones server that has very little on it. No vital info, no browsing history, no personal information at all. In fact, all you have on there is maybe your web or ftp directory which is safely backed up and saved on your internal network and/or on CD. So they ping around on your DMZ and find that there isn't anything there. (Your internal firewall doesn't even respond to ICMP, so they can't do much at all) If they are smart they will do an ifconfig or ipconfig and find out they are on a private subnet, but this gains them nothing. It is important to mention here that using a switch in the DMZ is preferable to a hub since a standard sniffer can be used to watch all traffic entering and exiting your WAN gateway. Normally, they could just use an ARP poisoning technique and sniff across the switch, but in this case they have no host to poison because your internal firewall won't pass the malicious ARP replies to the machines behind it. Anyway, from there the attacker will either leave or destroy the system, which is fine with you since you needed to redo that box anyway.
You simply reinstall your DMZ machine and unzip your web or ftp info/data into the right place and BAM!, you've got a brand new DMZ system with no danger to your private network at any point during the process.
Be sure to patch this time.
--
"Opportunities multiply as they are seized." - Sun Tzu
[text was edited by author 2002-07-12 04:33:57] |
|
|
|
 phriday613Your Avatar Is Nice... For Me To Poop OnPremium
join:2002-02-06
Eastchester, NY | Re: DMZ Basics... Thanks for the clarification!!
I understand it alot better now that ive had help. |
|
| reply to Daniel
This is one for the FAQ. |
|
 BuggSpyPet MePremium
join:2001-01-24
Canada | reply to Daniel
Always wondered about DMZ. Thanks for clearing up the mystery.
--
"Veni, Vidi, Velcro"(I came; I saw; I stuck around.) |
|
 seamanPremium
join:2000-12-08
Seattle, WA | reply to Daniel
This is great post. Thanks for taking the time to spell it out. I am going to save this and defintely give it a whirl. Would be great to have a secure ftp up for useful stuff. |
|
| reply to Daniel
This is excellent!! Thank you very much.. |
|
| reply to Daniel
Very nicely outlined and explained!!
For the benefit of the FAQ, you might want to explain why its better to use a switch rather than a hub as the network interconnect device (for its vlan protection properties). No sense going to all the trouble and expense of this design and reduce its security by letting the hacker sniff the wire with just a hub in place, seeing all the other traffic that's passing between networks, and through that mapping the systems and services running on the inside.
--
- LowWaterMark |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | reply to Daniel
This is true, but there were other issues that I didn't mention also. I didn't mention the fact that you could get to the internal interface on the router from the DMZ machine either, but that is why I called it 'DMZ Basics', and not the 'Comprehensive Guide' or something along those lines.
I thought it was long-winded as it was; I didn't want to add anything else.
--------------------
Thanks for the input though; that is a very valid point.
--
"Opportunities multiply as they are seized." - Sun Tzu |
|
 SYNACKJust Firewall ItPremium,Mod
join:2001-03-05
Venice, CA
Networking
Virtual Private Ne..
Netgear
ZyXEL
| Don't forget the "popular, but incorrect" use of the term DMZ (linksys, etc.) to describe a default NAT server. These have nothing to do with a real DMZ, because the exposed computer freely shares the network with the rest of the LAN. A compromised server thus exposes the entire LAN to an attack.
It is really unfortunate how the true meaning of these networking terms is being diluted as marketing buzzwords.
--
Where in the world is LA/OC ? |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | said by SYNACK:
It is really unfortunate how the true meaning of these networking terms is being diluted as marketing buzzwords.
Indeed, once the marketing guys at these companies determine that a particular term is a selling point they waste no time in finding a way to stamp it all over their products.
Some of the casualties:
firewall
SPI
DMZ
and let's not forget...
secure (:))
--
"Opportunities multiply as they are seized." - Sun Tzu |
|
| reply to Daniel
daniel, I gave you a thumbs-up for your enlightening post!! :) |
|
 poiwv
join:2002-06-07
Belington, WV | Not quite the best time to read and understand all of this post, but I am definitely saving it and thumbs up too... |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | reply to Daniel
Making improvements... Ok, I revised the original post to include the suggestions that a couple of you offered. I added SYNACK's comment about the fact that many companies misuse the term 'DMZ', and I added LowWaterMark's suggestion that a switch be used in the DMZ to keep a would be attacker from monitoring all traffic to and from the Internet.
Thanks for making it better. I think it may be FAQ-worthy now.
--
"Opportunities multiply as they are seized." - Sun Tzu |
|
| I like the firewall Avatar
BTW, I also gave you a thumbs earlier up for the great, soon-to-be FAQ.. |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | said by broadbandit:
BTW, I also gave you a thumbs earlier up for the great, soon-to-be FAQ.
Thanks, man.
--
"Opportunities multiply as they are seized." - Sun Tzu |
|
 imp$MxyzptlkPremium
join:2002-04-05
imp@dslr.net | reply to Daniel
Re: DMZ Basics (revised)... Here is a webcast from Microsoft explaining how to set up perimeter networks.
The information provided uses ISA server, but it goes into the basics of setting up a DMZ.
»support.microsoft.com/default.as···;Q324972 |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | said by tormented:
Here is a webcast from Microsoft explaining how to set up perimeter networks.
The information provided uses ISA server, but it goes into the basics of setting up a DMZ.
They may have a good presentation on DMZs, but I am a bit careful when I see security related material coming out of Microsoft. I played with ISA server a while back and it was horrid. It was just like Exchange - full of features and unstable as hell.
Perhaps their DMZ information will be better than their premier firewall product which paled in comparison to many freely downloadable Linux alternatives.
--
"Opportunities multiply as they are seized." - Sun Tzu |
|
imp$MxyzptlkPremium
join:2002-04-05
imp@dslr.net | said by danielrm26:
said by tormented:
Here is a webcast from Microsoft explaining how to set up perimeter networks.
The information provided uses ISA server, but it goes into the basics of setting up a DMZ.
They may have a good presentation on DMZs, but I am a bit careful when I see security related material coming out of Microsoft. I played with ISA server a while back and it was horrid. It was just like Exchange - full of features and unstable as hell.
Perhaps their DMZ information will be better than their premier firewall product which paled in comparison to many freely downloadable Linux alternatives.
I wasn't so much posting the link to promote ISA server, as I was to promote the webcast which gives visual representations of a 3-homed and back to back perimeter networks.
As far as ISA, I have been testing it for about two months. It does have a number of features and stability is an issue, at times. My biggest concern is performance which at the moment I would rate as mediocre. I still prefer the CISCO products.
I just started getting back into the Linux world within the last month or so and haven't had a moment to test security solutions. If you would have any recommendations for firewall, proxy, or similar applications I would be interested in testing them. |
|
 borvOnemhz On Aim
join:2000-10-06
Astoria, NY | reply to Daniel
This is one of the best DMZ explanations I have seen =]
--
B.S Computer Science,CCNP,CCNA,CNA,CCSA,A+Network + |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to Daniel
Looking gooooooood danielrm26! |
|
