Solved

Explaining the necessity of DMZ and indepth repercussions of not having it

Posted on 2007-11-19
6
450 Views
Last Modified: 2010-04-09
I understand the importance and necessity of a DMZ and the benefits it provides, e.g. separating publicly accessible systems and protecting internal systems from public traffic by creating trusted vs untrusted segments and controlling traffic access b/t them.

What I don't understand in relation to our environment is this:

We have www systems in the DMZ. They run a custom ASP.NET/AJAX app that interacts heavily with a SQL 2005 DB which is sitting in the trusted segment behind the firewall, where only traffic allowed to it is from the DMZ segment.

Now if we already have necessary ports open for communication, e.g. 80, 1433, then even with the DMZ, what is to keep an intruder off the private segment if (s)he haXorz the www systems.. since the ports are already open, wouldn't it be fairly easy to just gain access to the DB systems then? A coworker was saying that once you were on the www system you could just drop some custom ASP code that would get you onto the DB system anyways.

I know industry practice is to separate this traffic, especially in environments where critical data integrity is imperative, banks/healthcare, govt, but I am just trying to ascertain here aside from the high level security benefits, what is the DMZ really buying us.
0
Comment
Question by:pageflakes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:craskin
ID: 20316282
my own philosophy is that any machine on your network should be behind the firewall with only those ports necessary for serving what you need. i don't know what you gain if you have vulnerable ports open between the DMZ server and those behind the firewall, because as you've said, if anyone hacks the DMZed server, they can get through those vulnerable ports to the servers behind the firewall.

really, the idea behind putting something in a DMZ is to minimize network traffic behind the firewall, but I think this can be done in a more intelligent way with something like a forest.
0
 
LVL 2

Accepted Solution

by:
gmilhon earned 125 total points
ID: 20316608
Creating separate network zones is a good start to securing your network. Restricting what traffic is allowed into your DMZ is only the first step. You must also ensure what traffic you allow into your network isn't going to compromise your security. In your example you have a web server within your DMZ open to the public Internet. You want to ensure that your application is secure as well as your web server. Appling current security patches is always recommended and you should have a policy in place to deal with that. You should also place web application firewalls (WAF) at the edge of your DMZ, there are numerous products out there that can be used. Typical firewalls only look at the IP packets (What port number, destination IP address, protocol, source IP, etc...). Web application firewalls will actually look at the application layer (OSI Layer 7) of the request to protect against any security risks. They are often referred to as deep packet inspection firewalls because they go beyond layer 5 and look at the application data. There are numerous commercial products as well as open source solutions such as ModSecurity (http://www.modsecurity.org/).
0
 

Author Comment

by:pageflakes
ID: 20316690
so this WAF , in our case the systems are IIS, so I'm presuming a product like ISA would sit at the DMZ edge..  I'm a big fan of spatial learning, could a simple diagram be constructed to show how this would work.

Another issue to consider here is that our current LB and PIX, do not have gigabit interfaces (11501S and 515E), so I do not want to introduce another layer of potential bottleneck as the current LB and PIX have only 100Mb interfaces.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 2

Expert Comment

by:gmilhon
ID: 20316860
I would suggest avoiding Microsoft's ISA product for use as a web application firewall. I don't know what your budget is, but F5, Cisco, Citrix (NetScalar) and others have web application firewall solutions. Many of the devices can replace the functions of your existing PIX and CSS. This device/server would be between your firewall and load balancer preventing any requests that could cause harm.
0
 

Author Comment

by:pageflakes
ID: 20405040
thanks gmilhon. I'm going to go ahead and close out this question.. but one last thing, what's the resource overhead of running a WAF that is ultimately inspecting each packet.
0
 
LVL 2

Expert Comment

by:gmilhon
ID: 20405091
If you use a dedicated hardware appliance your overhead is minimal. Many vendor solutions are near wirespeed. Glad I could help.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question