Pau Lo
asked on
DMZ/Firewall
Are DMZ’s (and servers held within) typically behind a perimeter firewall? If not where do they “sit” in terms of a corporate network? If they aren’t behind any type of firewall what kind of protection stops them being easy targets for Internet based attacks?
If they are behind a firewall what kind of rules allow outsiders to talk to these servers from the Internet?
And finally is it typical to just have 1 DMZ per company, or can they have more. If they have more than 1, why is that? Why do they need more than one DMZ?
If they are behind a firewall what kind of rules allow outsiders to talk to these servers from the Internet?
And finally is it typical to just have 1 DMZ per company, or can they have more. If they have more than 1, why is that? Why do they need more than one DMZ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>and only open the holes in the firewall that absolutely need to be opened.
Do you mean ports?
Can you check if theres a port open on the firewall that is unneccersarily open and could be closed? Would there be any stats on logs that could show actually this port is never used?
And are you saying they'll just be 1 perimeter firewall as opposed to one external firewall and one internal firewall?
Do you mean ports?
Can you check if theres a port open on the firewall that is unneccersarily open and could be closed? Would there be any stats on logs that could show actually this port is never used?
And are you saying they'll just be 1 perimeter firewall as opposed to one external firewall and one internal firewall?
The two firewalls can be the same device:
/ \ --- DMZ
Internet -- | FIREWALL |
\ / --- Private Network
People have been known to put the DMZ and Private Network on the same physical LAN but on different subnets - but this is a security problem (if a DMZ machine is compromised it could connect to the private network!)
So you either need two firewalls or a firewall with three independant interfaces.
/ \ --- DMZ
Internet -- | FIREWALL |
\ / --- Private Network
People have been known to put the DMZ and Private Network on the same physical LAN but on different subnets - but this is a security problem (if a DMZ machine is compromised it could connect to the private network!)
So you either need two firewalls or a firewall with three independant interfaces.
Check ports using a portscanner. You can find free services to scan your IP address for you OR internally using various port scanning utilities.
Logs are dependant on the firewall software you use!
Logs are dependant on the firewall software you use!
>>and only open the holes in the firewall that absolutely need to be opened.
Yes, I'm referring to ports here as 'holes'.
>>Can you check if theres a port open on the firewall that is unneccersarily open and could be closed? Would there be any stats on logs that could show actually this port is never used?
Yes, there are ways of seeing if a port is being used but it is different per firewall.
>>And are you saying they'll just be 1 perimeter firewall as opposed to one external firewall and one internal firewall?
I'm not sure what you are asking here but I'm thinking it has to do with me stating one firewall will do it all so let me explain further. Most enterprise firewalls have multiple interfaces that you configure as you want. So you could have fa0/0 as the outside interface (perimeter firewall), fa0/1 as the inside interface (internal LAN), and fa0/2 as the DMZ interface. You have a different set of access rules for all the interfaces which controls what traffic can get to what interface.
Yes, I'm referring to ports here as 'holes'.
>>Can you check if theres a port open on the firewall that is unneccersarily open and could be closed? Would there be any stats on logs that could show actually this port is never used?
Yes, there are ways of seeing if a port is being used but it is different per firewall.
>>And are you saying they'll just be 1 perimeter firewall as opposed to one external firewall and one internal firewall?
I'm not sure what you are asking here but I'm thinking it has to do with me stating one firewall will do it all so let me explain further. Most enterprise firewalls have multiple interfaces that you configure as you want. So you could have fa0/0 as the outside interface (perimeter firewall), fa0/1 as the inside interface (internal LAN), and fa0/2 as the DMZ interface. You have a different set of access rules for all the interfaces which controls what traffic can get to what interface.
ASKER
Thank you all for your pointers (and patience).
Could you just define a firewall interface in laymans terms? That may help me grasp the concept a bit better. WHat is more common, 1 firewall with several interfaces for segregating the DMZ and private network, or 2 firewalls, one an external firewall that sits between the internet and the DMZ, and another that sits between the DMZ and private network?
Could you just define a firewall interface in laymans terms? That may help me grasp the concept a bit better. WHat is more common, 1 firewall with several interfaces for segregating the DMZ and private network, or 2 firewalls, one an external firewall that sits between the internet and the DMZ, and another that sits between the DMZ and private network?
I have come across more setups with 1 firewall.
Firewall interface, in reality, tends to be an ethernet socket on the machine/device.
But beware of routers you buy as they might have 5 ethernet sockets, but 4 of them are connected to a switch (so they are all on the same LAN) - so they only really have two interfaces. it depends on the hardware and whether it can isolate a particular socket.
For a PC machine set up as a firewall, you would need free LAN cards - ie 3 separate ethernet sockets.
Firewall interface, in reality, tends to be an ethernet socket on the machine/device.
But beware of routers you buy as they might have 5 ethernet sockets, but 4 of them are connected to a switch (so they are all on the same LAN) - so they only really have two interfaces. it depends on the hardware and whether it can isolate a particular socket.
For a PC machine set up as a firewall, you would need free LAN cards - ie 3 separate ethernet sockets.
ASKER
Thanks again. Is there anything you can take from say the internal IP address of a server that shows its in a DMZ? I dont fully understand what the 4 segments of an internal IP represent, or how you can make use of them (xxx.xxx.xxx.xxx) for diagrams of networks and DMZ's. Or if for example a known public facing web server, if I resolve the internal IP of that, are there any other commands that can show me other devices in the DMZ, i.e. anything I can take from the IP of a web server known to be in the DMZ to identify all other hosts in the DMZ?
That's a very different question and there are lots of articles on the internet (eg, wikipedia) about IPv4 addresses (so, type IPv4 into wikipedia)
The internal IP address shouldn't ever be known to the outside world, but if you were connected to the DMZ, you would be able to scan the network to find other hosts.
But if you found the internal IP address from outside the firewall, it wouldn't tell you anything about other machines on the network as access to them is controlled by the firewall.
The internal IP address shouldn't ever be known to the outside world, but if you were connected to the DMZ, you would be able to scan the network to find other hosts.
But if you found the internal IP address from outside the firewall, it wouldn't tell you anything about other machines on the network as access to them is controlled by the firewall.
The four octets of an IP address are used as a string identifier for a machine. There are different classes they are grouped into and then you can separate or combine them using subnets. About the only thing you would be able to tell from an IP address/subnet are how many other IPs are in that subnet. So if I know there is a webserver with the IP 192.168.1.5 255.255.255.0 I know there are possibly 253 other machines available on IPs in that subnet because 192.168.1.0 255.255.255.0 has 254 usable IP addresses. However I have no way of knowing if there are any other machines on those IPs unless I try to ping them or something.
ASKER
Would a DMZ typically be a subnet then? Or not always?
ASKER
I never knew subnets were limited to 255 devices
Every network is a subnet as every IP has to have a subnet mask. Subnets are used as a way to define how large a network is. Like mirtol stated, this is really a very detailed question that doesn't apply to the main topic. If you would like more explanation on TCP/IP subnetting or how you should plan/implement your network I'd be glad to help but you should ask another question for that.
ASKER
By the way who gives you your external IP address? Is it always one external IP address per server? And can you get the external IP address of a webserver or everything in your DMZ internally with commands?
>>I never knew subnets were limited to 255 devices
/24 subnets (subnets with the mask of 255.255.255.0) are limited to 256 addresses, 254 which are usable. Iused a /24 as my example because it is the most common and simplest subnet.
/24 subnets (subnets with the mask of 255.255.255.0) are limited to 256 addresses, 254 which are usable. Iused a /24 as my example because it is the most common and simplest subnet.
>>By the way who gives you your external IP address? Is it always one external IP address per server? And can you get the external IP address of a webserver or everything in your DMZ internally with commands?
Your ISP assigns you your external IPs that you purchase and you map them internally as needed. You can have multiple internal IPs use the same external IPs through NAT which is the typical scenario for users connecting to the Internet.
>>can you get the external IP address of a webserver or everything in your DMZ internally with commands?
people will run port scanners to try and find holes in your firewall all the time but as long as you have good access lists you will be fine. If someone does get through and connect to your DMZ server they can find other info on your DMZ. But you should also have strong access lists in place to protect your LAN from your DMZ so even if your DMZ gets hacked they can't get to your LAN.
Your ISP assigns you your external IPs that you purchase and you map them internally as needed. You can have multiple internal IPs use the same external IPs through NAT which is the typical scenario for users connecting to the Internet.
>>can you get the external IP address of a webserver or everything in your DMZ internally with commands?
people will run port scanners to try and find holes in your firewall all the time but as long as you have good access lists you will be fine. If someone does get through and connect to your DMZ server they can find other info on your DMZ. But you should also have strong access lists in place to protect your LAN from your DMZ so even if your DMZ gets hacked they can't get to your LAN.
Yes, a DMZ would have it's own subnet, for example:
DMZ could have a subnet of 192.168.1.0/24 (meaning 192.168.1.*** are all in the DMZ)
And your Private network could be on 192.168.123.0/24 (meaning 192.168.123.*** are on the private network)
Again, wikipedia Subnetwork: http://en.wikipedia.org/wiki/Subnetwork : for in depth answer to your query...
DMZ could have a subnet of 192.168.1.0/24 (meaning 192.168.1.*** are all in the DMZ)
And your Private network could be on 192.168.123.0/24 (meaning 192.168.123.*** are on the private network)
Again, wikipedia Subnetwork: http://en.wikipedia.org/wiki/Subnetwork : for in depth answer to your query...
ASKER
Cheers!
Again, subnetting can be very overwhelming if you aren't familiar with it so if you have more questions about it post them separately and you'll get more help than you probably need.
ASKER
>>people will run port scanners to try and find holes in your firewall all the time
What would be classed as a hole, and is it obvious to the hacker/bad guy theyve found a hole in the permiter firewall? Are holes rare in decent IT shops or pretty common?
What would be classed as a hole, and is it obvious to the hacker/bad guy theyve found a hole in the permiter firewall? Are holes rare in decent IT shops or pretty common?
A hole is any port that you have open. In order to try and keep out those unwanted people make sure your access lists are as specific as possible for what IPs are allowed to access, what IPs are being accessed, and what traffic is allowed to be passed.
A hacker will scan your firewall to find which ports are open.
"Holes" in the firewall, if the firewall is doing its job, should only be on ports which you have opened to allow access to a service.
A port scanner can find which ports you have opened, and then a hacker can connect to those ports to find out what services you are making available.
So, for example, they could scan your IP address, find ports 80 and 110 open (the standard HTTP and POP3 ports) and deduce you are running a webserver and a POP3 email server.
Access to those services is then regulated by the machine on which they reside.
So, for POP3, the mail server software you are using.
Anyway, you should just read up on this stuff - it's all readily available information on the net. I begin to suspect you are writing a homework piece...
"Holes" in the firewall, if the firewall is doing its job, should only be on ports which you have opened to allow access to a service.
A port scanner can find which ports you have opened, and then a hacker can connect to those ports to find out what services you are making available.
So, for example, they could scan your IP address, find ports 80 and 110 open (the standard HTTP and POP3 ports) and deduce you are running a webserver and a POP3 email server.
Access to those services is then regulated by the machine on which they reside.
So, for POP3, the mail server software you are using.
Anyway, you should just read up on this stuff - it's all readily available information on the net. I begin to suspect you are writing a homework piece...
ASKER
Well off the mark with the homework question or id be one of the oldest students going
ASKER
Is the external firewalla nd internal firewall typically 2 different peices of equiptment, or can it be the same device?
Also, aside from web server sthat host public apps/websites, what other types of system could you find in a DMZ?