Solved

True DMZ configuration

Posted on 2003-11-21
15
2,556 Views
Last Modified: 2012-08-13
Goal:  Too set up a true dmz using a packet filtering boundary router and an actual firewall/VPN.  This is not a service leg configuration.

Question:  I am unsure about the config for the network configuration of the DMZ network.  I have 4 public IP’s at my disposal.  It is my understanding that in this configuration I will have a completely separate network as the DMZ.  I know that I can have a private DMZ with mapped IPs for services or I can have a public DMZ.  What I really need is diagrams showing the interface configurations of the boundary router and firewall.  Or if someone could fill in the question marks below that might help.  The boundary router is netopia r9100 and the firewall is netscreen 5gt.

Boundary Router

External Interface
IP: XX.95.87.82
Mask: 255.255.255.248
Gateway:  XX.95.87.81
Internal Interface
IP: ?.?.?.?
Mask: 255.255.255.0

Firewall/VPN

External Interface
IP: ?.?.?.?
Mask:255.255.255.0
Gateway: ?.?.?.?
Internal Interface
IP: 192.168.1.1
Mask: 255.255.255.0
0
Comment
Question by:donnatronious
  • 4
  • 4
  • 4
  • +1
15 Comments
 
LVL 4

Accepted Solution

by:
ferg-o earned 300 total points
ID: 9808974

I can't post diagrams here but this will do the job you are after:

Router:
External Interface
IP: XX.95.87.82
Mask: 255.255.255.252
Gateway:  XX.95.87.81
Internal Interface
IP: XX.95.87.83
Mask: 255.255.255.252

Firewall/VPN
External Interface
IP: XX.95.87.84
Mask:255.255.255.252
Gateway: XX.95.87.83

Hope this helps - regards...




0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9818061
DMZ can be setup a different ways depending upon what services you need to deliver.  

A few questions,

1) Why does your router have public IP's for both internal and External?   Is it managed by you or the ISP?  

2) Does the  netscreen allow you to create  multiple interfaces like a 3 pronged firewall? I am not familiar with the netscreen product, but the theory is the same.  

3)  What services do you want in the DMZ?  



If your ip's on the router can't change then the diagram from ferg-o is correct.   Your firewall VPN can now redirect ports to internal servers.      
0
 

Author Comment

by:donnatronious
ID: 9819308
MikeKane

Its like this,

Internet Cloud
ISP router managed by them:  IP is 67.95.87.81 Mask 255.255.255.248 I have 82 through 86 for my use.
Netopia/Statefull Inspection Firewall:
Netscreen Application Firewall/VPN
Internal Private Network

1)  NAT will be performed by the Netscreen.  So I assume DMZ will be public.  I can't have double NAT right?
2)  I don't want a 3 pronged or so called "service leg" firewall.  I want a true double firewall DMZ.
3)  Services in the DMZ will be the VPN on the Netscreen and a possible bastion host webserver at a later date.

More questions.  
1)  Referring too the proposed configuration by ferg-o, I didn't think that a routers internal and external interface could be on the same network?
2)  I guess the above configuration would leave me 2 IPs too put other services on in the network. .85 and .86.
3)  Is it true that I could define 64 other subnets on the boundary router with 2 hosts each?
0
 

Author Comment

by:donnatronious
ID: 9819319
Both you guys are a lot of help.  It looks like I will soon be splitting points.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9819358
BTW, Donnatronious, go and collect you r points from an open question I had for your.   Check my open question status and you'll see your points.

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 200 total points
ID: 9819462
IF the router is managed by the ISP, then I wouldn't go asking them to mess with it, I find that with my local ISP's, they tend to cause more problems when I ask them to do anything.   But that's your call based on your relationship with them.  

It is odd that the router would use the same subnet on both segments unless you are subnetting.  

The usual setup is this

INTERNET CLOUD
|
Router
Internal .81
|
External .82
Firewall
Internal 192.168.1.1

The firewall could assign STATICs to internal services for specific IPs or port forwarding to spread 1 ip's services amoung multiple internal hosts.    

Keep .83 for PAT'ing so internal users can get out, that leave 84 85 and 86 for your use.  
0
 

Author Comment

by:donnatronious
ID: 9819863
MikeKane

I don't understand why you are giving me points?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 33

Expert Comment

by:MikeKane
ID: 9819899
That was from like 8 months ago.    It was an assist from an old question.  And I felt that the author should have split points.   Look at tthe date, it was back in June
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9822120
Donnatronius - when I split the subnet from 255.255.255.248 to 255.255.255.252 I put the addresses into different subnets.

I have had to do this a lot in the past doing firewall installations and I can vouch that it works - with layer 7 firewalls sometimes clients like to use valid IPs on their DMZs as NAT doesn't necessarily enhance security.

I agree with MikeKane though that if it is not your router that is the route of last resort then best not to mess with it - do as he says and keep the addresses in your external net - you waste them by splitting the subnet - as such:

netmask:    255.255.255.248
network:    xxx.95.87.80 (theoretically unusable...)
usable:      xxx.95.87.81-86
broadcast: xxx.95.87.87 (unusable)

netmask:    255.255.255.252
network:    xxx.95.87.80 (theoretically unusable...)
usable:      xxx.95.87.81-82
broadcast: xxx.95.87.83 (unusable)

netmask:    255.255.255.252
network:    xxx.95.87.84 (theoretically unusable...)
usable:      xxx.95.87.85-86
broadcast: xxx.95.87.87 (unusable)

You lose two usable addresses, .83 & .84 in the split.

To answer your question 3 - yes you could if you had the whole 24 bit range and another router of your own that you control. The netscreen can also perform this function.

This is what ISPs tend to do here in Hong Kong - they give you one usable address with a 30 bit (255.255.255.252) mask - the other usable is taken up by their managed router and becomes the route of last resort. In order to do this they need to have their border routers and DSLAMs configured with network routes (or a routing protocol like RIP) so that traffic running through their networks knows where to be directed.

To be honest with you there are a thousand different ways to set up perimeter networks - it really depends on what you want to achieve. From the above information I think it is easier for you to go with MikeKane's recommendation. Should you decide down the track that you need more external addresses (for web servers etc - which *should* be on a service leg of the NS) then you can ask your ISP to widen your range and the reconfiguration of the netscreen involves only an alteration to the subnet mask.

Big answer first thing in the morning - hope this clears things up for you...




0
 
LVL 55

Expert Comment

by:andyalder
ID: 9868832
Have you done the first step of asking the ISP to cut the subnet into two for you? Not that you need them to tell you how to subnet but if you don't ask them to change the mask on their router and add a route to the other half of your subnet it ain't going to work.
0
 

Author Comment

by:donnatronious
ID: 9870346
Is andyalder correct?
0
 
LVL 55

Expert Comment

by:andyalder
ID: 9870638
Is andyalder correct??>>Only if I guess your topology correctly.

If you split your netblock in half and don't tell the upstream router it will broadcast an arp discovery packet to find the IP address on the local network rather than relaying it on to the next hop router.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 9872629

Umm - not really mate. All the ISP needs is a route configured to the network. If it is a 29 bit mask and you split it into 2 30 bit ones IP packets to either network will still go to your perimeter router. What it does with it from there is entirely up to you...

Whether or not this can be classified as good Internet etiquette is another thing entirely.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 9873391
>>ISP router managed by them:  IP is 67.95.87.81 Mask 255.255.255.248

If you don't change the mask on *that* router how is it going to work? I'm guessing your topology is as below (paste to notepad to get monospaced font). If that is how you are trying to do it you have the ISP's router with /29 mask connected to your router with a /30 mask.


ISP----------ISP router on site----------nettopia------------netscreen-----------internal hosts
???----------??---------------/29----------/30---/30-----------/30-----/24-----------/24
--------------------------------------net1----------------DMZ--------------------LAN---------------------
0
 
LVL 55

Expert Comment

by:andyalder
ID: 10176723
How did you get it to work in a routing configuration without getting the mask changed on the ISP maintained router on your network or the mask on your router and forwarding the rest on via inbound NAT?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now