DMZ/Firewall

Are DMZ’s (and servers held within) typically behind a perimeter firewall? If not where do they “sit” in terms of a corporate network? If they aren’t behind any type of firewall what kind of protection stops them being easy targets for Internet based attacks?

If they are behind a firewall what kind of rules allow outsiders to talk to these servers from the Internet?

And finally is it typical to just have 1 DMZ per company, or can they have more. If they have more than 1, why is that? Why do they need more than one DMZ?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mirtolCommented:
The typical layout of a network is to have:

Internet --- [EXTERNAL FIREWALL] --- DMZ --- [INTERNAL FIREWALL] --- Private Network

So yes, any machines in the DMZ are behind a firewall (hence "demilitarized").

It is typical to have only one DMZ, in which you place any servers that provide services that are accessible from the internet (eg, web, email etc)

The secondary firewall is to prevent ANY access to the private internal network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks so much for the info, that helps me.

Is the external firewalla nd internal firewall typically 2 different peices of equiptment, or can it be the same device?

Also, aside from web server sthat host public apps/websites, what other types of system could you find in a DMZ?
0
qbakiesCommented:
Most enterprise firewalls provide a DMZ that you can configure on one of the interfaces but you could do it with two devices if necessary.  As a rule of thumb I never put anything sensitive in the DMZ.  Remember that even though it is behind a firewall you are allowing access to resources from the outside world so there is a greater chance that you can be attacked/hacked.  Especially since most people have access rules like 'Allow all TCP/UDP traffic to website X'.  So don't put anything out there that you consider business critical or sensitive unless you have a good backup/recovery plan for recreating something that gets killed.

Mostly you will find web services in DMZs but you can also find mail servers and other things.  Technically you can put anything in the DMZ but you just need to realize what kind of access is possible and only open the holes in the firewall that absolutely need to be opened.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

pma111Author Commented:
>>and only open the holes in the firewall that absolutely need to be opened.

Do you mean ports?

Can you check if theres a port open on the firewall that is unneccersarily open and could be closed? Would there be any stats on logs that could show actually this port is never used?

And are you saying they'll just be 1 perimeter firewall as opposed to one external firewall and one internal firewall?
0
mirtolCommented:
The two firewalls can be the same device:

                  /                 \ --- DMZ
Internet -- | FIREWALL |
                  \                 / --- Private Network

People have been known to put the DMZ and Private Network on the same physical LAN but on different subnets - but this is a security problem (if a DMZ machine is compromised it could connect to the private network!)

So you either need two firewalls or a firewall with three independant interfaces.


0
mirtolCommented:
Check ports using a portscanner. You can find free services to scan your IP address for you OR internally using various port scanning utilities.

Logs are dependant on the firewall software you use!
0
qbakiesCommented:
>>and only open the holes in the firewall that absolutely need to be opened.

Yes, I'm referring to ports here as 'holes'.  

>>Can you check if theres a port open on the firewall that is unneccersarily open and could be closed? Would there be any stats on logs that could show actually this port is never used?

Yes, there are ways of seeing if a port is being used but it is different per firewall.

>>And are you saying they'll just be 1 perimeter firewall as opposed to one external firewall and one internal firewall?

I'm not sure what you are asking here but I'm thinking it has to do with me stating one firewall will do it all so let me explain further.  Most enterprise firewalls have multiple interfaces that you configure as you want.  So you could have fa0/0 as the outside interface (perimeter firewall), fa0/1 as the inside interface (internal LAN), and fa0/2 as the DMZ interface.  You have a different set of access rules for all the interfaces which controls what traffic can get to what interface.
0
pma111Author Commented:
Thank you all for your pointers (and patience).

Could you just define a firewall interface in laymans terms? That may help me grasp the concept a bit better. WHat is more common, 1 firewall with several interfaces for segregating the DMZ and private network, or 2 firewalls, one an external firewall that sits between the internet and the DMZ, and another that sits between the DMZ and private network?
0
mirtolCommented:
I have come across more setups with 1 firewall.

Firewall interface, in reality, tends to be an ethernet socket on the machine/device.

But beware of routers you buy as they might have 5 ethernet sockets, but 4 of them are connected to a switch (so they are all on the same LAN) - so they only really have two interfaces. it depends on the hardware and whether it can isolate a particular socket.

For a PC machine set up as a firewall, you would need free LAN cards - ie 3 separate ethernet sockets.
0
pma111Author Commented:
Thanks again. Is there anything you can take from say the internal IP address of a server that shows its in a DMZ? I dont fully understand what the 4 segments of an internal IP represent, or how you can make use of them (xxx.xxx.xxx.xxx) for diagrams of networks and DMZ's. Or if for example a known public facing web server, if I resolve the internal IP of that, are there any other commands that can show me other devices in the DMZ, i.e. anything I can take from the IP of a web server known to be in the DMZ to identify all other hosts in the DMZ?
0
mirtolCommented:
That's a very different question and there are lots of articles on the internet (eg, wikipedia) about IPv4 addresses (so, type IPv4 into wikipedia)

The internal IP address shouldn't ever be known to the outside world, but if you were connected to the DMZ, you would be able to scan the network to find other hosts.

But if you found the internal IP address from outside the firewall, it wouldn't tell you anything about other machines on the network as access to them is controlled by the firewall.
0
qbakiesCommented:
The four octets of an IP address are used as a string identifier for a machine.  There are different classes they are grouped into and then you can separate or combine them using subnets.  About the only thing you would be able to tell from an IP address/subnet are how many other IPs are in that subnet.  So if I know there is a webserver with the IP 192.168.1.5 255.255.255.0 I know there are possibly 253 other machines available on IPs in that subnet because 192.168.1.0 255.255.255.0 has 254 usable IP addresses.  However I have no way of knowing if there are any other machines on those IPs unless I try to ping them or something.
0
pma111Author Commented:
Would a DMZ typically be a subnet then? Or not always?
0
pma111Author Commented:
I never knew subnets were limited to 255 devices
0
qbakiesCommented:
Every network is a subnet as every IP has to have a subnet mask.  Subnets are used as a way to define how large a network is.  Like mirtol stated, this is really a very detailed question that doesn't apply to the main topic.  If you would like more explanation on TCP/IP subnetting or how you should plan/implement your network I'd be glad to help but you should ask another question for that.
0
pma111Author Commented:
By the way who gives you your external IP address? Is it always one external IP address per server? And can you get the external IP address of a webserver or everything in your DMZ internally with commands?
0
qbakiesCommented:
>>I never knew subnets were limited to 255 devices

/24 subnets (subnets with the mask of 255.255.255.0) are limited to 256 addresses, 254 which are usable.  Iused a /24 as my example because it is the most common and simplest subnet.
0
qbakiesCommented:
>>By the way who gives you your external IP address? Is it always one external IP address per server? And can you get the external IP address of a webserver or everything in your DMZ internally with commands?

Your ISP assigns you your external IPs that you purchase and you map them internally as needed.  You can have multiple internal IPs use the same external IPs through NAT which is the typical scenario for users connecting to the Internet.

>>can you get the external IP address of a webserver or everything in your DMZ internally with commands?

people will run port scanners to try and find holes in your firewall all the time but as long as you have good access lists you will be fine.  If someone does get through and connect to your DMZ server they can find other info on your DMZ.  But you should also have strong access lists in place to protect your LAN from your DMZ so even if your DMZ gets hacked they can't get to your LAN.
0
mirtolCommented:
Yes, a DMZ would have it's own subnet, for example:

DMZ could have a subnet of 192.168.1.0/24 (meaning 192.168.1.*** are all in the DMZ)

And your Private network could be on 192.168.123.0/24 (meaning  192.168.123.*** are on the private network)

Again, wikipedia Subnetwork: http://en.wikipedia.org/wiki/Subnetwork : for in depth answer to your query...
0
pma111Author Commented:
Cheers!
0
qbakiesCommented:
Again, subnetting can be very overwhelming if you aren't familiar with it so if you have more questions about it post them separately and you'll get more help than you probably need.
0
pma111Author Commented:
>>people will run port scanners to try and find holes in your firewall all the time

What would be classed as a hole, and is it obvious to the hacker/bad guy theyve found a hole in the permiter firewall? Are holes rare in decent IT shops or pretty common?
0
qbakiesCommented:
A hole is any port that you have open.  In order to try and keep out those unwanted people make sure your access lists are as specific as possible for what IPs are allowed to access, what IPs are being accessed, and what traffic is allowed to be passed.
0
mirtolCommented:
A hacker will scan your firewall to find which ports are open.

"Holes" in the firewall, if the firewall is doing its job, should only be on ports which you have opened to allow access to a service.

A port scanner can find which ports you have opened, and then a hacker can connect to those ports to find out what services you are making available.

So, for example, they could scan your IP address, find ports 80 and 110 open (the standard HTTP and POP3 ports) and deduce you are running a webserver and a POP3 email server.

Access to those services is then regulated by the machine on which they reside.

So, for POP3, the mail server software you are using.

Anyway, you should just read up on this stuff - it's all readily available information on the net. I begin to suspect you are writing a homework piece...
0
pma111Author Commented:
Well off the mark with the homework question or id be one of the oldest students going
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.