Solved

Explaining the necessity of DMZ and indepth repercussions of not having it

Posted on 2007-11-19
6
440 Views
Last Modified: 2010-04-09
I understand the importance and necessity of a DMZ and the benefits it provides, e.g. separating publicly accessible systems and protecting internal systems from public traffic by creating trusted vs untrusted segments and controlling traffic access b/t them.

What I don't understand in relation to our environment is this:

We have www systems in the DMZ. They run a custom ASP.NET/AJAX app that interacts heavily with a SQL 2005 DB which is sitting in the trusted segment behind the firewall, where only traffic allowed to it is from the DMZ segment.

Now if we already have necessary ports open for communication, e.g. 80, 1433, then even with the DMZ, what is to keep an intruder off the private segment if (s)he haXorz the www systems.. since the ports are already open, wouldn't it be fairly easy to just gain access to the DB systems then? A coworker was saying that once you were on the www system you could just drop some custom ASP code that would get you onto the DB system anyways.

I know industry practice is to separate this traffic, especially in environments where critical data integrity is imperative, banks/healthcare, govt, but I am just trying to ascertain here aside from the high level security benefits, what is the DMZ really buying us.
0
Comment
Question by:pageflakes
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:craskin
ID: 20316282
my own philosophy is that any machine on your network should be behind the firewall with only those ports necessary for serving what you need. i don't know what you gain if you have vulnerable ports open between the DMZ server and those behind the firewall, because as you've said, if anyone hacks the DMZed server, they can get through those vulnerable ports to the servers behind the firewall.

really, the idea behind putting something in a DMZ is to minimize network traffic behind the firewall, but I think this can be done in a more intelligent way with something like a forest.
0
 
LVL 2

Accepted Solution

by:
gmilhon earned 125 total points
ID: 20316608
Creating separate network zones is a good start to securing your network. Restricting what traffic is allowed into your DMZ is only the first step. You must also ensure what traffic you allow into your network isn't going to compromise your security. In your example you have a web server within your DMZ open to the public Internet. You want to ensure that your application is secure as well as your web server. Appling current security patches is always recommended and you should have a policy in place to deal with that. You should also place web application firewalls (WAF) at the edge of your DMZ, there are numerous products out there that can be used. Typical firewalls only look at the IP packets (What port number, destination IP address, protocol, source IP, etc...). Web application firewalls will actually look at the application layer (OSI Layer 7) of the request to protect against any security risks. They are often referred to as deep packet inspection firewalls because they go beyond layer 5 and look at the application data. There are numerous commercial products as well as open source solutions such as ModSecurity (http://www.modsecurity.org/).
0
 

Author Comment

by:pageflakes
ID: 20316690
so this WAF , in our case the systems are IIS, so I'm presuming a product like ISA would sit at the DMZ edge..  I'm a big fan of spatial learning, could a simple diagram be constructed to show how this would work.

Another issue to consider here is that our current LB and PIX, do not have gigabit interfaces (11501S and 515E), so I do not want to introduce another layer of potential bottleneck as the current LB and PIX have only 100Mb interfaces.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:gmilhon
ID: 20316860
I would suggest avoiding Microsoft's ISA product for use as a web application firewall. I don't know what your budget is, but F5, Cisco, Citrix (NetScalar) and others have web application firewall solutions. Many of the devices can replace the functions of your existing PIX and CSS. This device/server would be between your firewall and load balancer preventing any requests that could cause harm.
0
 

Author Comment

by:pageflakes
ID: 20405040
thanks gmilhon. I'm going to go ahead and close out this question.. but one last thing, what's the resource overhead of running a WAF that is ultimately inspecting each packet.
0
 
LVL 2

Expert Comment

by:gmilhon
ID: 20405091
If you use a dedicated hardware appliance your overhead is minimal. Many vendor solutions are near wirespeed. Glad I could help.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now