Explaining the necessity of DMZ and indepth repercussions of not having it
I understand the importance and necessity of a DMZ and the benefits it provides, e.g. separating publicly accessible systems and protecting internal systems from public traffic by creating trusted vs untrusted segments and controlling traffic access b/t them.
What I don't understand in relation to our environment is this:
We have www systems in the DMZ. They run a custom ASP.NET/AJAX app that interacts heavily with a SQL 2005 DB which is sitting in the trusted segment behind the firewall, where only traffic allowed to it is from the DMZ segment.
Now if we already have necessary ports open for communication, e.g. 80, 1433, then even with the DMZ, what is to keep an intruder off the private segment if (s)he haXorz the www systems.. since the ports are already open, wouldn't it be fairly easy to just gain access to the DB systems then? A coworker was saying that once you were on the www system you could just drop some custom ASP code that would get you onto the DB system anyways.
I know industry practice is to separate this traffic, especially in environments where critical data integrity is imperative, banks/healthcare, govt, but I am just trying to ascertain here aside from the high level security benefits, what is the DMZ really buying us.
What I don't understand in relation to our environment is this:
We have www systems in the DMZ. They run a custom ASP.NET/AJAX app that interacts heavily with a SQL 2005 DB which is sitting in the trusted segment behind the firewall, where only traffic allowed to it is from the DMZ segment.
Now if we already have necessary ports open for communication, e.g. 80, 1433, then even with the DMZ, what is to keep an intruder off the private segment if (s)he haXorz the www systems.. since the ports are already open, wouldn't it be fairly easy to just gain access to the DB systems then? A coworker was saying that once you were on the www system you could just drop some custom ASP code that would get you onto the DB system anyways.
I know industry practice is to separate this traffic, especially in environments where critical data integrity is imperative, banks/healthcare, govt, but I am just trying to ascertain here aside from the high level security benefits, what is the DMZ really buying us.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so this WAF , in our case the systems are IIS, so I'm presuming a product like ISA would sit at the DMZ edge.. I'm a big fan of spatial learning, could a simple diagram be constructed to show how this would work.
Another issue to consider here is that our current LB and PIX, do not have gigabit interfaces (11501S and 515E), so I do not want to introduce another layer of potential bottleneck as the current LB and PIX have only 100Mb interfaces.
Another issue to consider here is that our current LB and PIX, do not have gigabit interfaces (11501S and 515E), so I do not want to introduce another layer of potential bottleneck as the current LB and PIX have only 100Mb interfaces.
I would suggest avoiding Microsoft's ISA product for use as a web application firewall. I don't know what your budget is, but F5, Cisco, Citrix (NetScalar) and others have web application firewall solutions. Many of the devices can replace the functions of your existing PIX and CSS. This device/server would be between your firewall and load balancer preventing any requests that could cause harm.
ASKER
thanks gmilhon. I'm going to go ahead and close out this question.. but one last thing, what's the resource overhead of running a WAF that is ultimately inspecting each packet.
If you use a dedicated hardware appliance your overhead is minimal. Many vendor solutions are near wirespeed. Glad I could help.
really, the idea behind putting something in a DMZ is to minimize network traffic behind the firewall, but I think this can be done in a more intelligent way with something like a forest.