Solved

Tunneling in DMZ or begind firewall

Posted on 2014-03-31
4
469 Views
Last Modified: 2014-04-01
Is there a good reason to provide tunneling within the DMZ vs. begind the firewall.

In one scenario, you would wrap and unwrap packets within the DMZ (probably from a proxy), and in another scenario you would do it at the application level behind the firewall

Which would be more secure?

njd
0
Comment
Question by:Anthony Lucia
  • 2
  • 2
4 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39969006
It depends on how you're measuring security. In a sense encapsulating / tunnelling between two end-points is the most secure. That could well be handled at application level. Whether it's actually more secure or not is a matter of trust and how you're tunnelling.  That is:

Do you trust the network (and all services) between two end-points? Are sufficient security controls in place to protect information in transit?
Do you really need to tunnel? This is  where we'd consider encapsulating an entire IP packet.
Is payload encryption (such as SSL) sufficient? Or does does the content of the IP header need to be encrypted as well?

While it's implied in your question, tunnelling does not necessarily mean you're encrypting. Tunnelling on it's own may simply be used as a means to carry one protocol across another.

GRE (Generic Router Encapsulation) tunnelling is a good example of this, it doesn't encrypt the original payload, it simply wraps it up so you can get it from A to B without the path between needing to know about the thing you're attempting to transmit.

A number of technologies are available to both encapsulate and encrypt data in transport. A couple of popular examples include:

IPSEC VPN tunnels - Both L2L (LAN to LAN) and client to LAN.
SSH tunnels  - Uses public / private key cryptography to encrypt everything inside the SSH tunnel.

There are, of course, many other protocols which can be used to tunnel (both with and without encryption). Suitability depends on your goals and the reason for your question in the first place.

Chris
0
 
LVL 63

Expert Comment

by:btan
ID: 39969012
It brings back to principle of detecting at the earliest for any malicious content in the traffic. I was thinking of probably 3 main use case

Case 1 - If we are talking about traditional FW, IP and Port are at most what they can check based on rule so tunneling of the content will make no differences. The traffic such as SSL will pass in and even bypass the IPS or web appl FW unless termination or interception is configured. We should at best do it earliest as another layer before reaching the server end.

Case 2 - If we are talking about NG FW or UTM, content inspection is one area they can inspect further including at application level. Tunneling such as VPN and SSL in common should be terminated or intercepted at this end to inspect before granting the traffic inwards further.

Case 3 - If tunneling is allowed through till the server, it leaves with HIPS in the server to (hopefully) detect the threats incoming, if any. This should be the last line of defence assuming the threat is real, and I do not advocate always relying on that defence and layering is better deterrence scheme instead. Having said that, there is still possibility that (1) and (2) can be somehow bypass/evaded, but we leave it to circumstances such as patch/signature delays, insider, misconfiguration and zero day threats instead of intended tunneling.

Note that the above is assuming inbound traffic we should not ignore outbound too, esp if there is reverse tunneling type or reverse shell type (where the connection is initiated from internal to make it legit and pass the ruleset). Inspection should likewise cater for that. Key is that for all tunneling if there are anomalous tunnel protocol establishment attempts, it should sound the alert aloud (and secure by default, deny that)
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 250 total points
ID: 39969024
Agreed, tunnelling (with encryption) between endpoints tends to act against a defence-in-depth model. The two end-points may (potentially) be the only entities able to consider the actual payload unless you decrypt / re-encrypt somewhere else in the network path.

It's very subjective which is why I start with "it depends" :)

Chris
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 39969062
In the same page. Back to Business call as they are pay owner and their risk appetite. This can be "big" concern if the device or checks are via cloud service host provider - some will not want to "decrypt" for their inspection, but who know they will have already means to "see" what they are supposed not to see :)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SHA2 certs for IIS AND Java? 2 113
Service Specific Account vs 'Administrator' 5 41
sftp vs SendThisFile 9 27
SAP HANA vulnerability threat report. 2 26
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question