SolutionBase: Strengthen network defenses by using a DMZ

[patris1]

کد:

http://articles.techrepublic.com.com/5100-22_11-5756029.html

Nations seperate armies through the use of a DMZ, or demilitarized zone. You can seperate your network and users from the threats faced on the Internet by deploying a DMZ as well. Here's what you need to know about how a DMZ works

The concept of the DMZ, like many other network security concepts, was borrowed from military terminology. Geopolitically, a demilitarized zone (DMZ) is an area that runs between two territories that are hostile to one another or two opposing forces' battle lines. The term was first widely used to refer to the strip of land that cuts across the Korean peninsula and separates the North from the South. In computer networking, the DMZ likewise provides a buffer zone that separates an internal network from the often hostile territory of the Internet. Sometimes it's called a "screened subnet" or a "perimeter network," but the purpose remains the same.
In this article, we'll look at how the DMZ works and different security architectures for building DMZs. In the second article of this two-part article, we'll talk about what computers should (and shouldn't) be placed in the DMZ and how to monitor DMZ activity.
How the DMZ Works

Unlike the geopolitical DMZ, a DMZ network is not a no-man's land that belongs to nobody. When you create a DMZ for your organization, it belongs to you and is under your control. However, it is an isolated network that's separate from your corporate LAN (the "internal" network). The DMZ uses IP addresses belonging to a different network ID.
If you think of the internal network as the "trusted" network and the external public network (the Internet) as the "untrusted" network, you can think of the DMZ as a "semi-trusted" area. It's not as secured as the LAN, but because it is behind a firewall, neither is it as non-secure as the Internet. You can also think of the DMZ as a "liaison network" that can communicate with both the Internet and the LAN while sitting between the two, as illustrated by Figure A.
Figure A
The DMZ sits between the "hostile" Internet and the internal corporate network What does this accomplish? You can place computers that need to communicate directly with the Internet (public servers) in the DMZ instead of on your internal network. They will be protected by the outer firewall, although they are still at risk simply because they have direct contact with Internet computers. Because the DMZ is only "semi-secure," it's easier to hack a computer in the DMZ than on the internal network. The good news is that if a DMZ computer does get hacked, it doesn't compromise the security of the internal network, because it's on a completely separate, isolated network.
Why put any computers in this riskier network? Let's take an example: in order to do its job (make your Web site available to members of the public), your Web server has to be accessible to the Internet. But having a server on your network that's accessible from the Internet puts the entire network at risk. There are three ways to reduce that risk:

• You could pay a hosting company to host your Web sites on their machines and network. However, this gives you less control over your Web servers.
• You could host the public servers on the firewall computer. However, best security practices say the firewall computer should be dedicated solely to act as a firewall (this reduces the chances of the firewall being compromised), and practically speaking, this would impair the firewall's performance. Besides, if you have a firewall appliance running a proprietary OS, you won't be able to install other services on it.
• The third solution is to put the public Web servers on a separate, isolated network: the DMZ.

Creating a DMZ Infrastructure

The DMZ is created by two basic components: IP addresses and firewalls. Remember that two important characteristics of the DMZ are:

1. It has a different network ID from the internal network
2. It is separated from both the Internet and the internal network by a firewall

IP Addressing Scheme

A DMZ can use either public or private IP addresses, depending on its architecture and firewall configuration. If you use public addresses, you'll usually need to subnet the IP address block that you have assigned to you by your ISP, so that you have two separate network IDs. One of the network IDs will be used for the external interface of your firewall and the other will be used for the DMZ network.
When you subnet your IP address block, you must configure your router to know how to get to the DMZ subnet.
You can create a DMZ within the same network ID that you use for your internal network, by using Virtual LAN (VLAN) tagging. This is a method of partitioning traffic that shares a common switch, by creating virtual local area networks as described in IEEE standard 802.1q. This specification creates a standard way of tagging Ethernet frames with information about VLAN membership.
If you use private IP addresses for the DMZ, you'll need a Network Address Translation (NAT) device to translate the private addresses to a public address at the Internet edge. Some firewalls provide address translation.
Whether to choose a NAT relationship or a routed relationship between the Internet and the DMZ depends on the applications you need to support, as some applications don't work well with NAT.
DMZ Firewalls

When we say that a firewall must separate the DMZ from both the internal LAN and the Internet, that doesn't necessarily mean you have to buy two firewalls. If you have a "three legged firewall" (one with at least three network interfaces), the same firewall can serve both functions. On the other hand, there are reasons you might want to use two separate firewalls (a front end and a back end firewall) to create the DMZ.
Figure A above illustrates a DMZ that uses two firewalls, called a back to back DMZ. An advantage of this configuration is that you can put a fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, and place a slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers. Each firewall in this configuration has two interfaces. The front end firewall has an external interface to the Internet and an internal interface to the DMZ, whereas the backend firewall has an external interface to the DMZ and an internal interface to the corporate LAN.
When you use a single firewall to create a DMZ, it's called a trihomed DMZ. That's because the firewall computer or appliance has interfaces to three separate networks:

1. The internal interface to the trusted network (the internal LAN)
2. The external interface to the untrusted network (the public Internet)
3. The interface to the semi-trusted network (the DMZ)

The trihomed DMZ looks like Figure B.
Figure B
A trihomed DMZ uses a "three legged" firewall to create separate networks Even if you use a single trihomed firewall to protect both the DMZ and the internal network, you should be able to configure separate rules for evaluating traffic depending on its origin and destination. That is, there should be separate rules for:

• Incoming traffic from the Internet to the DMZ
• Incoming traffic from the DMZ to the internal LAN
• Incoming traffic from the Internet to the internal network
• Outgoing traffic from the internal network to the DMZ
• Outgoing traffic from the internal network to the Internet
• Outgoing traffic from the DMZ to the Internet

The DMZ actually reduces the complexity of filtering traffic, because you can have one rule for all the computers in the DMZ. If you were hosting the public servers on the internal network, you would need to configure different rules for each hosting server, and you would have to "publish" each server to allow it to be accessed from the Internet.
You'll probably want to block traffic from the Internet to the internal computers. You should also restrict traffic from the DMZ to the internal network, as well as traffic from the Internet to the DMZ. Allow only the traffic that is necessary for your users to access the resources they need. This means using the "principle of least privilege" in that your default is to start by denying all traffic and then allowing protocols and opening ports on a "need to know" basis.
Vendor Support for DMZs

Major hardware and software vendors support the DMZ concept in their products. Cisco routers have multiple LAN ports, one of which is designated as a DMZ port, and the IOS operating system uses Port Address Translation (PAT) to allow traffic to be routed to multiple servers with a single IP address destination. As the name implies, it uses port numbers (such as 80 for the Web server and 25 for the mail server) to distinguish between the multiple servers. This allows you to have multiple public servers without paying for multiple public IP addresses.
Many firewall appliances, such as the SonicWall, come with three Ethernet ports: a LAN port (to connect to the internal network), a WAN port (to connect to the Internet) and a DMZ port (to connect to the network housing your public servers).
Microsoft's ISA Server 2004's multi-networking feature allows you to connect the ISA Server firewall to as many networks as you wish, limited only by the number of network interface cards you can install in the machine. No network is automatically "trusted" in the new ISA model, so you configure security according to the needs of the particular network.
Common DMZ Security Architectures

A DMZ is considered by many to be a "wide open" network, much like the geopolitical DMZ where you risk being shot anytime you set foot inside it. However, all DMZs are not created equal when it comes to the security architecture. Even when you place computers in the DMZ, there are still ways to protect them. The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories:

1. DMZs designed for unauthenticated or anonymous access
2. DMZs designed for authenticated access

If you have a Web server that you want everybody on the Internet to be able to access, (such as a Web presence advertising your company), you'll have to allow anonymous access. You can't easily provide authentication credentials to every stranger who happens upon your site. However, if your Internet-facing servers on the DMZ are used by partners, customers, or employees working off-site, you can require authentication to access them. This makes it more difficult for a hacker to gain access.
The DMZ Honeynet

There is a special use for the anonymous DMZ that's being more popular: creating a "honeynet." This is a network that consists of one or more "honeypot" computers that are designed to lure hackers --either so they can be caught or tracked, or to divert them from the network's real resources. Unlike with other DMZs, you actually want this network to be compromised.
Often the computers on the honeynet are virtual machines that are all installed on a single physical machine, and intrusion detection systems and other monitoring systems are put in place to gather information about the hackers' techniques, tactics and identities.
Host Security on the DMZ

Because the DMZ is a less secure network than the internal network, host security is even more important for the computers that are "out there." The servers on your DMZ should be hardened as much as possible (while maintaining their accessibility to those who need to access them). This means:

• All unnecessary services should be disabled.
• Necessary services should be run with the lowest privileges possible.
• Strong passwords or passphrases should be used.
• Unnecessary user accounts should be deleted or disabled and default accounts should be disguised by renaming, changing the description, etc.
• Systems should have the latest security updates and patches applied.
• Security logging should be enabled (and you should check the logs frequently!)

The Evolution of the DMZ

The definition of "DMZ" is becoming broader, as more uses are found for these "semi-trusted" networks. Today's networks are complex, and security specialists are beginning to realize that the concept of the network "edge" or "perimeter" is outdated; an enterprise network has multiple perimeters. Thus, DMZs may be appropriate at places other than at the edge of the Internet, and large networks can benefit from having multiple DMZs.

---

موضوعات مشابه:

• SolutionBase: Watching your network with LANguard
• SolutionBase: Take a look at the Windows Vista Firewall
• SolutionBase: Discover open source alternatives for NAC on your network
• SolutionBase: Installing and configuring Network Access Control with PacketFence
• SolutionBase: Use PacketFence to stop unwanted network traffic

---

[patris1]

کد:

http://articles.techrepublic.com.com/5100-22_11-5758204.html?tag=rbxccnbtr1

SolutionBase: Deploying a DMZ on your network



A DMZ can help secure your network, but getting it configured properly can be tricky. Deb Shinder explains the different kinds of DMZs you can use and how to get one up and running on your network

Ok, so you've decided to create a DMZ to provide a buffer zone between the Internet and your internal corporate network where sensitive resources reside. You've examined the advantages and disadvantages of DMZ designs and decided whether to use a single "three legged" firewall to create your DMZ network, or two back-to-back firewalls sitting on either side of the DMZ. Now you have to decide how to populate your DMZ. That depends, in part, on the type of DMZ you've deployed. This article will go into some specifics of how to deploy a DMZ: which servers and other devices should be placed in the DMZ, and how to monitor DMZ activity.
Author's Note

A computer that runs services accessible to the Internet is sometimes referred to as a bastion host. Others use this term to refer only to hardened systems running firewall services at the Internet edge. Your bastion hosts should be placed on the DMZ, rather than on your internal network, because by either definition they are directly accessible to the Internet.
"Split" configurations

Best security practice is to put all servers that are accessible to the public in the DMZ. However, this creates an even bigger security dilemma: you don't want to place your corporate Exchange server, for example, "out there." The solution is to create a split configuration.
In a Split Configuration, your mail services are split between servers on the DMZ and the internal network. Your internal mail server will handle e-mail that goes from one computer on the internal network to another internal computer, with no exposure to the Internet. Mail that comes from or is sent to computers outside the internal network over the Internet will be handled by the other half of the team, an SMTP gateway located in the DMZ.
You may be more familiar with this concept in relation to DNS servers. It has become common practice to split your DNS services into an internal zone and an external zone. This allows you to keep DNS information about your internal hosts private, while only the external DNS records are propagated to the Internet. The external DNS zone will only contain information about your public servers.
Another example of a split configuration is your e-commerce system. You can place the front-end server, which will be directly accessible by Internet users, in the DMZ, and place the back-end servers that store sensitive information on the internal network.
What goes in the unauthenticated DMZ

Most of us think of the unauthenticated variety when we think about DMZs. This is a network that's wide open to users from the Internet. Anyone can connect to the servers there, without being required to provide credentials. The servers you place there are "public" ones, and might include the following:

• Web servers that you want to make available to the general public, such as your company's primary Web presence advertising its products or services.
• Your public DNS servers that resolve the names in your domain for users outside your organization to the appropriate IP addresses.
• Public FTP servers on which you provide files to the public (for example, downloads of your product manuals or software drivers to enhance your products).
• Anonymous SMTP relays that forward e-mail from the Internet to your internal mail server(s).

Of course, you can have more than one public service running on a single physical computer. That can be done in one of two ways: two or more services (such as Web services and FTP) can run on the same OS, or you can create separate virtual machines using software such as Microsoft's Virtual PC or VMWare's software for servers running different services.
You may also place a dedicated intrusion detection system/intrusion prevention system (IDS/IPS) in the DMZ to catch attempted attacks. Another option is to place a honeypot in the DMZ, configured to look like a production server that holds information attractive to attackers. The idea is to divert attention from your "real" servers, to track intrusion patterns, and perhaps even to trace intrusion attempts back to the source and learn the identity of the attackers.
What goes in the authenticated DMZ

An authenticated DMZ holds computers that are directly accessible to the Internet, but are not intended for access by the general public. They may be used by your partners, customers or employees who need access from home or while on the road.
Some types of servers that you might want to place in an authenticated DMZ include:

• Web servers that you want to make available across the Internet for selected users.
• FTP servers that you want to make available across the Internet for select users.
• A front end mail server that you want users to be able to access when away from the office in lieu of using VPN to tunnel into the internal network.
• An authenticated SMTP relay server for the use of your employees when they're away from the office.
• SharePoint or other collaboration servers that need to be accessed by project team members outside the corporate network.

The key is that users will be required to provide authentication credentials (username/password or, for greater security, multi-factor authentication such as a smart card or SecurID token). In other words, the firewall won't allow the user into the DMZ until the user authenticates. Once in, users might also be required to authenticate to particular servers.
An authenticated DMZ can be used for creating an extranet. It's a private network and is more secure than the unauthenticated public access DMZ, but because its users may be less trusted than those on the internal network, the internal network is still protected from it by a firewall.
The wireless DMZ

Another important use of the DMZ is to isolate wireless clients from the internal network. Although it's common to connect a wireless LAN (WLAN) directly to the wired network, that poses a security threat because of the inherently more vulnerable nature of wireless communications. Even with standard wireless security measures in place, such as WEP encryption, wireless is not secure, and stronger encryption such as WPA is not supported by all clients and access points.
Segregating the WLAN segment from the wired network allows your organization's users to enjoy the convenience of wireless connectivity while reducing some of the risk to the rest of the network.
A wireless DMZ differs from its typical wired counterpart in that you not only want to protect the internal network from the Internet and DMZ, you also want to protect the DMZ from the Internet. In that respect, the WLAN DMZ functions more like the authenticated DMZ than like a traditional public access DMZ.
To control access to the WLAN DMZ, you can use RADIUS servers to authenticate users using the Extensible Authentication Protocol (EAP), along with port based access controls on the access point.
Securing DMZ Components

You will probably spend a lot of time configuring security on the firewalls and IDS/IPS devices that define and operate in your DMZ, but you should also secure other components that connect the DMZ to other network segments, such as the routers and switches.
It's important to consider where these connectivity devices should be placed in relation to the DMZ segment. You'll need to configure your routers to allow Internet users to connect to the DMZ and to allow internal users to connect to the Internet. You may need to configure Access Control Lists (ACLs) on your routers. Remember that you generally do not want to allow Internet users to connect to the internal network. One way to ensure this is to place a proxy server on the DMZ, and set up internal users to go through the proxy to connect to the Internet.
It's also important to protect your routers' management interfaces to keep hackers from changing the router configurations. Be sure to set strong passwords and use RADIUS or other certificate based authentication for accessing the management console remotely. Be aware of all the ways you can administer the router (Web interface, Telnet, SSH, etc.) and lock them all down. To allow you to manage the router through a Web page, it runs an HTTP server. It is a good security practice to disable the HTTP server, as it can serve as a point of attack.
What about using VLANs to create a DMZ?

The Virtual LAN (VLAN) is a popular way to segment a network, using one switch to create multiple internal LAN segments. The VLAN logically divides the network; however, switches aren't firewalls and should not be relied on for security. Your DMZ should have its own separate switch, as should the internal network and the external network; you should not use VLAN partitioning to create these networks. That's because with a VLAN, all three networks would be connected to the same switch and if that switch is compromised, a hacker would actually reconfigure the VLAN--not a good situation.
If you want to deploy multiple DMZs, you might use VLAN partitioning to separate the DMZs, all of which are connected to the same switch. This is generally accepted practice but it is not as secure as using separate switches.
You can use Cisco's Private VLAN (PVLAN) technology with some of their Catalyst switches to isolate devices on a LAN and prevent the compromise of one device on the DMZ from leading to the compromise of other DMZ devices. For more information about PVLANs with Cisco Catalyst switches, see Cisco's Web site.
Monitoring DMZ activity

The DMZ is created to serve as a buffer zone between the Internet and the corporate internal network, and if you build it, they (the hackers) will almost certainly come. When they do, you want to know about it as quickly as possible. Thus, your next step is to set up an effective method of monitoring the activity that goes on in the DMZ. This is especially true if your DMZ acts as a honeynet.
Many firewalls contain built-in monitoring functionality or it can be added with add-on modules. For example, ISA Server 2000/2004 includes a monitoring configuration node that can be set up to alert you if an intrusion is detected. Third party vendors also make monitoring add-ons for popular firewall products.
An IDS system in the DMZ will detect attempted attacks for which it has signatures. A dedicated IDS will generally detect more attacks and have greater functionality than the IDS monitoring feature built into firewalls. For example, Internet Security Systems (ISS) makes RealSecure Network IDS software and Proventia intrusion detection appliances that can be installed in the DMZ.
Most large organizations already have sophisticated tools in place to monitor network activity in general: software such as HP's OpenView, IBM's Tivoli/NetView, CA Unicenter or Microsoft's MOM. Many use multiple monitoring tools, especially if the network is a hybrid one with multiple operating systems or platforms.
How do you integrate DMZ monitoring into the centralized management/monitoring system? In this case, you could configure the firewalls so that the existing network management and monitoring software could communicate with the DMZ devices. However, this would present a brand new security risk. Monitoring software often uses ICMP and/or SNMP to poll devices and keep track of availability. These protocols are not secure and could be exploited.
A more secure solution would be put a monitoring station running proprietary monitoring software inside the DMZ or install agents on DMZ devices. Information can be sent back to the centralized network management/monitoring station in encrypted format for better security.
There are devices available specifically for monitoring DMZ activity, such as the ZoneRanger appliance from Tavve. Placed in the DMZ, it monitors servers, devices and applications and creates a secure conduit through the firewall to proxy SNMP data to the centralized network management/monitoring station.
Whichever monitoring product you use, it should have the capability to log activity and to send a notification via e-mail, pager or other immediate alerting method to administrators and incident response teams.
DMZ: As easy as 123

Deploying a DMZ consists of several steps: determining the purpose of the DMZ, selecting the servers to be placed in the DMZ, considering other devices (such as IDS/IDP) to be placed in the DMZ, and deciding on a method and strategy for monitoring DMZ activity. When you understand each of these steps and use the tools mentioned in this article, you can deploy a DMZ in your organization with relative ease.