Solved

DMZ vs Port Forwarding?

Posted on 2004-08-31
7
1,461 Views
Last Modified: 2008-03-03
Hello experts,

We are preparing to install a web server (for public web pages accessible from the Internet and our Intranet) at  our organization. I am curious as to where on our network this should be placed.   At our main location we have a T1 which runs from the Telecomm router into our Firewall/VPN appliance.  This appliance does not have a DMZ port only public/private interfaces.  My initial thought was to deploy this public webserver behind our firewall and  forward port 80 from our FW to the server.  The second was to lock the server down with  concrete and place it on the outside of the FW with a public IP (I dont like this) or  finally building a Linux box with two NICS one on the public side of the network on the other in a newly created DMZ zone.  The first part of my question is which of these solutions is the best if any?  Please describe your setups...

The second part of my question is  what is the advantage of using a DMZ over a simple port forward?  If you are port forwarding to only ONE internal IP address what is the danger of the traffic traversing your internal network?  Does the concern come from the possibility of that one machine becoming comproimised and then becoming a tool for furture attacks internally?

Thanks!!  
0
Comment
Question by:akant74
7 Comments
 
LVL 3

Expert Comment

by:Julian_C
ID: 11950294
Well, if I was you I'd go for the DMZ option to keep your network safe should the web server be compromised. This allows you to create a zone for all of your current and future public facing services. You have a network right behind the FW with the web server on and behind that you have another firewall for your LAN to sit behind. BUT personally, if you can go this far I'd go a stage further. I really don't like just forwarding port 80 through to the web server. It is much better to put a proxy between the FW and the web server. In this way you can use the proxy to prevent all but the desired traffic from getting to the web server as we all know that the web server is the most vulnerable point in the initial design. I've used ISA server to publish web/ftp and email servers and it works very well. For a start it only lets through traffic that arrives with the correct URL so if someone scans your IP they'll not even see a web server (depending on how you set it up). IMO application proxies offer an excellent method to remove direct access to your public services.

Regards
Julian
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11952633
>Does the concern come from the possibility of that one machine becoming comproimised and then becoming a tool for furture attacks internally?
Absolutely. It does not take much effort to compromise a mis-configured web server. Once an intruder owns the server, if it is on your internal network, they own your whole network.

Best option would be a firewall with a 3rd DMZ interface. Deep packet inspection and intrusion detection capabilities of many firewalls provide a much needed extra layer of protection.

With your Linux firewall option, you might have issues with internal users trying to access the web site, but this would be a viable option if this is a stand-alone server. Your weakest link will be the low-end PC linux firewall.

Lock the server in concrete, place it on your internal LAN and forward port 80 from the firewall.

Only as a last resort, and only temporarily, would I ever put a webserver directly on the 'net without any firewall in front of it.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 11957595
akant74

You already have strong networking and security concepts. It would have been a good idea to place the server on a 3rd DMZ interface for the reason you suggested but since you don't, I see no point in building up a seperate LINUX firewall because both the firewalls are doing the very same job.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Expert Comment

by:PennGwyn
ID: 11958515
billwharton is not quite correct.

The point of a third DMZ interface is that any traffic between the web server and the rest of the internal network has to go through the firewall (and be filtered).  I think the plan with the Linux firewall is another approach to achieving this same result -- if it isn't, it should be.

Port forwarding does not accomplish this.

0
 

Author Comment

by:akant74
ID: 11958541
Thank you all for you input thus far! I appreciate the time and effort in your responses!  

billwharton:  If I was going to deploy the linux solution the new linux firewall would sit outside of our current firewall and have one NIC with a public ip and another for a new DMZ zone.  My thinking is I have two seperate FW's but even if they did get through my linux machine to my webserver (which would be dedicated to nothing but this task (and/or a reverse proxy using SQUID?), they could then just kill my webserver and have access to nothing else.

0
 
LVL 11

Expert Comment

by:billwharton
ID: 11959006
I misunderstood you the first time akant. I completely agree with your analysis.

0
 
LVL 3

Accepted Solution

by:
Julian_C earned 250 total points
ID: 11963609
The architecture you describe with the Web server air-gapped from the rest of the network is more secure than the proxy architecture I mentioned earlier and is good as long as you don't require any (much) access to the web server from the LAN or vice versa. Of course, if all you need to do is put new content on the server then you can expose a secure FTP server on the web server that only allows connections that have come via the external IP on your LAN's FW. In this way new content comes from the LAN, out through FW1 and then back in through FW2. In larger organisations, where Web content is often dynamically generated, based on the state of various internal systems then it is simply not practical to air-gap the web server from the source systems. Even without proxies you can just sandwhich your public facing servers between 2 firewalls. If the www server is compromised then there is no access from that point through to the LAN. This architecture is often used when you have to have access to a DB from the web server. The 2nd FW only alllows data connections in that scenario (and is NOT on the LAN in that case!!)

                                            <--LAN INTERNET
                                              ACCESS
internet:-----FW1-----WEB-----FW2-------------LAN
          Allow 80 ->     SRV      --->XXX
                                          No inbound

Cheers
Julian
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now