Idea Transcript
_
Here's how it works:
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:
Anybody can ask a question
Sign up
Anybody can answer
The best answers are voted up and rise to the top
Public DMZ network architecture
Years ago, when I was a student, a network security professor taught me in a class what a DMZ is. The architecture he used in his slides was similar to this one:
Now that I got employed, my boss, a security engineer with 10+ years of experience has a different point of view. For him, a DMZ should not be placed in a "sandwich" between the LAN and internet. Instead, it should be like the one illustrated below:
When searching with Google for network architectures with a DMZ, I found different representations and I got even more confused. So my question is, how should a DMZ be placed in a highly secure network architecture? Is the first representation OK from a security point of view? network firewalls routing
edited Apr 19 '12 at 22:04
asked Apr 7 '12 at 15:44
AviD © 52.7k
lisa17 16
114
1,083
187
8 One of the reasons it is confusing is because of the change in the architecture of firewalls over the past 15 years
and because in the top diagram, it's not clear if the connection to the internal firewall flows through the DMZ machine or not. Modern firewalls can logically implement both the internal and external firewall pictured it the top diagram, so there's the question of physical vs logical. Also, in general, the DMZ machine should not be able to initiate connections into the LAN, so the top diagram should show 2 lines from the external firewall, 1 to the DMZ and 1 to the internal. – Major Major Apr 22 '12 at 17:34
csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf [Section 8] show how we can further enhance overall security for the web servers. – gsivaram Aug 21 '14 at 21:51
12 Answers
The two are functionally equivalent - the DMZ is effectively in a sandwich, as it has to have connections from the outside world firewalled, but also have firewalls restricting access from it to the internal network. While the latter diagram is often what happens (for cost reasons - you need less firewalls) the first one is considered safer as you can use two different makes of firewall, which helps avoid an attack on the firewall breaching both of them. Where you use one firewall, you use sets of rules for each direction and each connection - and functionally this is the same as the sets of rules in the second example. This is just a slight improvement in security, as generally you don't attack the firewalls - you use the open ports to go straight through and attack the webserver, mailserver, or even pass straight through to attack the database, but layers of security all help. answered Apr 7 '12 at 16:31
Rory Alsop © 53.8k
11
93
280
Spot on. Note also that many firewall configuration "wizards" usually offer both of these as templates to set up... Also take into account that routing between the zones may be an issue, and can be trickier to implement and enforce one way than the other. – AviD © Apr 19 '12 at 22:07 Yes, but as red team it is always fun to attack the core security system and have total pwnage that way ;) – ewanm89 Apr 19 '12 at 22:25
2 I disagree that the two are functionally equivalent. In the bottom diagram, all you need to do is compromise the
firewall to get full access to the internal LAN. As pointed out by others, this not so hard to do in many cases because of a mistake in the firewall configuration. In the top diagram, you have to get through 2 firewalls to get to the internal systems. The second firewall can generally have a much more closed configuration, and thus be harder to misconfigure or compromise. – Major Major Apr 22 '12 at 17:22
How should a DMZ be placed in a highly secure network architecture? The key is defense in depth between security domains. The extent of the deployed architecture will be dependant on the resources available, including financial limitations and technical capabilities. Defense in depth Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. It is a layering tactic, to mitigate the consequence of a single security control failing. Wikipedia Security domains A security domain is the determining factor in the classification of an enclave of servers/computers. A network with a different security domain is kept separate from other networks. Wikipedia Implementation For the purposes of determining controls between security domains you could define; the internet as untrusted, the DMZ as semi-trusted, and internal networks as trusted. Therefore, you would employ multiple layers of security controls between the internet and your DMZ, which could include: L3 firewalls, IPS, AV, Reverse-proxy/Load-balancing, L7 filtering. From the DMZ host(s) back to your internal network, you would employ additional layers of: L3 firewalls, L7 filtering (e.g. RPC), IPS/AV. Least privilege access between security domains is also key to maximise the effectiveness of the security controls.
Is the first representation OK from a security point of view? I would advise no, due to a lack of defence in depth. There is only a single access control between the Internet-DMZ, and DMZ-LAN. Typically a highly secure architecture would have vendor-separation, and layers of access controls (L3 FW, WAF, IPS, AV, etc). edited Apr 17 '12 at 23:31
answered Apr 8 '12 at 0:58
lew 1,436
6
8
There are absolutely no absolutes in security. From a training perspective - I'd say the first is more clear. It shows the concept that the outside world goes through these various layers and that it's easier to hit the DMZ and presumably what's stationed there is lower risk. It's also better from a layered defense point of view - as pointed out in other answers very nicely. But it's less pratical from a cost point of view. And I've seen many, many variants on the lower diagram - all segmenting networks for various reasons, trying to do more with less for various cost or other practical reasons. I don't honestly believe there is a "right way" or a "right diagram". Factors include: cost vs. risk tradeoff - multiple layers of firewalls with diverse vendors is definitely more secure, it's also more expensive. A must have for a high value/high risk operation. Overkill for a low value/low risk operation - as it's not only expensive to purchase, but also to maintain, and you have to weigh the factor of humans maintaining these things, and the risk of gaps and misconfigurations. One well configured firewall is going to be better than two firewalls that are wide open because the person configuring them didn't know enough to do the job right! clarity - what does the network really look like? If there's just one firewall, please draw the diagram accordingly, don't leave people hunting for a second firewall. Unless you are talking about a logical layer and not a physical layer, in which case both "walls" may be on the same device. The point of a diagram is to help humans do things... a diagram is "right" or "wrong" only in terms of its ability to fulfill this need. I'd say, if your boss is claiming that his drawing is the absolute "right way" - he's out of his mind... there's plenty of public examples to counter that. If it's the clearest way to describe the thing you are working with, then he's right. answered Apr 18 '12 at 16:24
bethlakshmi 10.4k
1
20
54
I'll repeat some things others have said, but here it goes. First of all, I'd think about how much security is desired, the cost to achieve it, and the problems that will arise if something fails and the comunication is lost between the secure-zone and the internet. Your cenario looks a bit more sofisticated, because there are more layers from the dark-world until your secret data is reached. But it also adds more costs, more points-of-failure exists. The second cenario is as-secure-as the firewall is. Getting the DMZ compromised won't make it easier to attack, since it has to go through the firewall, and the firewall is the piece of resistance in all the concept. And sorry, but if the question was only about "which one is correct: two firewalls or a single one?", I couldn't find any reference to decide it. answered Apr 16 '12 at 20:48
woliveirajr 3,997
1
12
26
I am not clear on what you mean by a "highly secure network architecture". You would need to consider in more detail what are your security objectives, information security requirements and the threats landscape in which you are evolving to design and implement appropriate security controls. I will however try to answer your question at a high level. Yes, the first security architecture is OK from a security point of view in general. There are variations of this architecture (e.g. do you attach the DMZ to the external and/or internal firewalls and/or in-between) but I do not believe it is relevant to your question at this stage. My understanding is that this architecture used to be more popular at a time when firewalls had multiple known public vulnerabilities in their implementation that would permit to bypass or even exploitation of the firewalls themselves and in the absence of other mitigating controls. In using a different implementation for your external and internal firewalls, you are just applying the principle of natural selection to your architecture and it is generally a good thing: if one implementation is vulnerable to a specific attack, the same attack may not work on a different implementation if their respective traits are dissimilar enough. You are hopefully removing a single point of failure (from an implementation perspective) of the "firewall security function". Of course, depending of your information availability requirements, you may need to consider clustering your external and internal firewalls among other things. The second architecture is also valid from a security perspective and I believe it is now more popular than the first one (cost helping). You have a potential single point of failure of the firewall security function. However, most organisations would have (hopefully) realised by now that you cannot rely on your firewall only to provide security services. Routers/switches/host firewalls/etc. can all contribute to the security posture of an organisation thus mitigating some or all the damage caused by a compromise of a (single) firewall implementation. It also appears that firewalls are a bit more solid nowadays and that attacks have shifted to higher but softer OSI layers e.g. applications. I would consider the second architecture for most deployments. I may consider the first architecture in some specific circumstances including but not limited to security objectives and requirements, potential attackers' motivations and more importantly, resources. answered Apr 17 '12 at 16:09
obscure 101
2
The risk is by far much worse in the first diagram. Take a step back and read about military DMZ's they are basically places you put things you don't care about protecting. It's bad terminology to begin with and an outdated idea in IT. Now let's say you have a much larger environment with different security levels, you can't throw all the data in one zone (much less allow your malware infected LAN traffic pilfer thought it). You'll need multiple security zones (multiple DMZ's if you're attached to that term, I call them secure-segments). How would you add say 20 different security zones to each of the diagrams above ? Continue adding them in series according to their security level ? or add them in parallel as needed ? The reason most modern firewalls have multiple interfaces (some large ones have up to 100 interfaces) is because we add secure subnets in parallel. In a high security environment you might have separate security-zones for web servers vs. dns servers vs. mail servers, etc.. That way if your web servers gets owned the attacker has gained no additional ground toward compromising your mail server or anything else. Likewise, if your a service provider hosting a dozen collocated clients you can put each one behind a different interface so they can't attack each other (or spread worms) any differently from attacking via the Internet. Browse around at some of the large vendors websites (Cisco & Juniper) and look at the documentation around their larger firewalls and how many interfaces they support. You will still want internal firewalls and Web Application Firewalls (WAF's) like Imperva (or mod_security proxies) but even these internal areas will need to be segmented and compartmentalized. The old sandwich diagram (70's - 80's IT architecture) is a major FAIL security-wise and needs to go away. answered Apr 18 '12 at 3:28
Trey Blalock 12.6k
5
36
44
1 No way is the first diagram with two firewalls much worse than the second diagram with only one. You even said
yourself "you will still want internal firewalls." Best practice is you take your modern firewall with secure subnets in parallel and you still put another firewall between it and systems that should not be accessible from outside the LAN. – Major Major Apr 22 '12 at 17:30
Yes, in addition to the previous answer I might add an IPS for blocking attacks that the firewall would not catch since those attacks would be targeting the open ports. answered Apr 8 '12 at 0:12
Justin Andrusk 207
1
4
Your boss is right. The first representation has many problems or weaknesses. 1. HA (high availability) : you will need 4 FW ( 2 externals and 2 internals) = $$$ 2. Management : 'considered safer as you can use two different makes of firewall' ... a lot of management overhead (update, rules, logging, licencing). If you cannot trust your FW and you need an another one from a different manufacturer, you have a problem !!! 3. IP : this design can be a nightmare with natting, routing, etc. 4. Risk : In this design, a compromised DMZ host is in a nice place for sniffing and man-in-themiddle-attack against users in the LAN zone. In real life, the second design is safer and simpler than the first one. 1. HA (high availability) : you just need another FW. 2. Management : just one box to manage 3. IP : single point to manage the trafic for routing or nating 4. Risk : if a host in the DMZ is compromised, this threat is contained in the DMZ answered Apr 12 '12 at 1:01
L_g__n 29
4
1 Unfortunately in practice, in high sensitivity environments (think banking etc) the first design is much simpler - your points aren't necessarily correct. for 1 - you just buy another 2 firewalls, 2 - two management systems is not a problem, 3 - not relevant as you usually have multiple load balancers, HA failovers, SSL endpoints etc and 4 - the risk is lower for scenario 1: it is easier to contain the risk. – Rory Alsop © Apr 16 '12 at 19:33
1 Take a look on this DMZ network architecture: ‘Design Zone for Security, Enterprise Internet Edge Design Guide’ in
the cisco website. You will see the 3 interfaces model (figure 3 of the cisco paper) for the DMZ. This model have the key attributes to be expected in the DMZ design: • Service availability and resiliency; • Regulatory compliance; • Security: prevent intrusions, data leakage and fraud, and ensure user confidentiality, data integrity. – L_g__n Apr 19 '12 at 1:24
1 Using firewalls from two differents vendors is also a ‘old school design’. This Gartner’s paper ‘Q&A: Is It More
Secure to Use Firewalls From Two Different Vendors?’ (Published: 4 November 2010) is very informative about this point. An excerpt from this paper : ‘More than 95% of firewall breaches are caused by firewall misconfigurations, not firewall flaws.’ … ‘Two firewall platforms are not better than one. We believe that there is a higher risk associated with configuring and managing firewalls from multiple vendors than from a single vendor.’ Regards – L_g__n Apr 19 '12 at 1:26
@tactika +1 for references – lisa17 Apr 20 '12 at 8:55 That Cisco paper, while quite thorough, is perhaps too sophisticated for this question, as it makes distinctions between local managed switches, routers, and firewalls. In the simplified diagrams of the OP, a firewall combines the features of all 3 devices. – Major Major Apr 22 '12 at 17:45
It depends upon the type of network architecture your building. The first example is ideal for situations like hosting a large web app, you build up the security with in your layers, so balancers tier, app tier, data tier, each firewalled off by different security measures, but work on there own trusted networks. In the second example exactly how it is described, with a LAN hanging off it. Also, this option is ideal for situations where by you need to be able to shape traffic to ensure QoS. So to answer your question both are valid and both have there own advantages, there is no one silver bullet. answered Apr 16 '12 at 21:40
Vincent 21
1
Most Firewall engineers mostly have deployed the 2nd diagram model since a set of firewalls are less expensive, easier to configure & manage. You may utilize each port on firewall for physical connection to outside, inside and each DMZ or use multi context (much like VM) to virtually segregate environments. We use the 2nd model in our smaller Data-centers and use the 1st model with multi FW at our enterprise data-centers. Auditors love the 1st model for enterprise locations as one mis-configured rule on 2nd model can cause an attacker who has taken control of your DMZ server, perhaps gain control on inside of your network. This is much harder on 1st model, as an attacker must go thru two sets of firewalls to get to inside. A firewall admin may make a mistake perhaps for testing on one firewall but not on two (usually). We just deployed multi firewalls last week. With Firewalls on Internet end connecting to multi DMZ and Load Balancers... and inside firewalls, connecting to the same DMZ / Load Balancers. Also the 2nd / inside firewall has multi context on inside. Which provides firewalling between WAN, production and none production environments...where production servers can access anything, but WAN can access production servers on www and https (etc.) or allow RDP access to admins to get to production and DEV/QA servers on inside Firewall. answered Apr 19 '12 at 0:21
Matt 21
2
The answer to the question on which of the two designs are "right" can only be based on the requirements placed upon the solution being designed. As such, both models have benefits and disadvantages but it really comes down to TWO PRIMARY DIFFERING BUSINESS DRIVERS: If the business is making requirements with statements like: "We need an Internet / DMZ security design that is ... *cost-effective, lowest cost, basic, simple design, simple to manage, cheap & dirty, adequate protection...*etc." Then the 3-LEGGED FW (example #2) will be the model you should using as the basis for your design. And in a world where "SAVE $$$" "Reduce Costs" are often the #1 drivers, it is the primary factor why the 3-LEGGED FW Design is by far the most popular deploy - even for larger organizations. If the business is making requirements with statements like: "We need an Internet / DMZ security design that is ... highly / extremely secured, provides the best internet protection regardless of cost, protection of our internal corporate systems are A MUST... etc." Then the FW-Sandwich / 2-Teir FW / Layered DMZ (example #1) model is the one you should be using as a base for your design. The reason is extremely simple... Layered DMZ security adds additional unique barriers to entry for the Internet hacker. If he gets through the first FW, he lands at the next layer, and the next, and then the backend Internal FW before he has finally got to the crown-jewels of the corporate data. The 3-LEGGED FW model is 1 layer of protection whereby if poorly / misconfigured FW is compromised - he has direct access into the internal network. BAD ! My past designs are more complext than a front and back FW. In an extremely highly secured ISP/DMZ design, I architected FW, IPS, front VIP network, DMZ VIP Load Balancers, Private Farm networks, then the back-end Internal Facing FWs. Each of these layers adds a unique additional barrier to entry for the hacker to get through. We also set strong design rules that state "one layer in the design must only talk to the next layer and not bypass that layer as a shortcut" This design is surely more costly, but for large scale enterprises whereby banking, financial, large databases of client information, etc MUST BE PROTECTED, it would be foolish to use a 3Legged FW that makes it the single barrier between the hackers and these crown jewels. edited Jun 26 '13 at 18:13
answered Jun 26 '13 at 18:04
user27666 11
2
5
12
37