Penetration testing
Security Analysis and Advanced
Tools:
Designing a DMZ
Introduction to Designing a DMZ
• DMZ (demilitarized zone)
– Computer host or small network inserted as a
“neutral zone” between a company’s private
network and the outside public network
– Network construct that provides secure
segregation of networks that host services for
users, visitors, or partners
• DMZ use has become a necessary method of
providing a multilayered, defense-in-depth
approach to security
Introduction to Designing a DMZ (cont’d.)
Firewalls are essential for the secure segregation of networks.
DMZ Concepts
• DMZ has proven to be more secure and to
offer multiple layers of protection for the
security of the protected networks and
machines
• Bastion host
– Device in a DMZ that is built to withstand attacks
• Multitiered Firewall with a DMZ Flow
– DMZ is established, separated, and protected from
both the internal and external networks
DMZ Concepts (cont’d.)
A multitiered firewall is useful for protection from both
internal and external networks.
DMZ Design Fundamentals
• DMZ designs generally consist of
– Firewalls and segments that are protected from each
other by firewall rules and routing as well as the use
of RFC 1918 addressing on the internal network
• Design of the DMZ is critically important to the
overall protection of the internal network
• Access control lists (ACLs)
– Determine who is allowed access to an item in a
network and how that item can be used
• DMZ Protocols
– See next slide
DMZ Design Fundamentals (cont’d.)
Certain protocols are vulnerable to attack and should be
used with caution.
Advanced Design Concepts
• Internal Network Access
– Consider the methods that might be used to provide
VPN services
– Limit or restrict outbound traffic from the internal
network to inappropriate services
– Provide for out-of-band management capabilities
• Remote Administration
– Extremely tempting to use the built-in capabilities of
the various operating systems and the management
software provided for many hardware devices
– It is very important to thoroughly review alternatives
Advanced Design Concepts (cont’d.)
• Authentication
– Generally inappropriate to locate a RADIUS or
TACACS+ server in a DMZ segment
– It might be necessary to implement a plan to
accommodate the authentication of users
entering the DMZ from a public network
– DMZ design should include a separate
authentication DMZ segment
• Equipment in that segment should be hardened
DMZ Architecture
• Inside-Versus-Outside Architecture
– Packet-filtering routers act as initial line of defense
• Three-Homed Firewall Architecture
– DMZ handles the traffic between the internal network
and firewall, as well as the traffic between the firewall
and DMZ
• Weak-Screened Subnet Architecture
– Used when routers have better high-bandwidth datastream handling capacity
• Strong-Screened Subnet Architecture
– Both the DMZ and the internal networks are
protected by a well-functioning firewall
Designing a DMZ Using IPtables
The inside and outside firewalls in a DMZ serve multiple functions.
Designing a Wireless DMZ
• Categories of attacks on wireless networks:
–
–
–
–
Passive attacks
Active attacks
Man-in-the-middle attacks
Jamming attacks
• Placement of Wireless Equipment
– Depends on needed accessibility area for the WLAN
• Access to DMZ and Authentication Considerations
– Access to DMZ Services
– Authentication Considerations
Designing a Wireless DMZ (cont’d.)
• Wireless DMZ Components
–
–
–
–
–
Access Points
Network Adapters
Authentication Servers
Enterprise Wireless Gateways and Wireless Gateways
Firewalls and Screening Routers
• Wireless DMZ Using RADIUS to Authenticate Users
– See Figure 5-12
• WLAN DMZ security best practices include
– Perform a risk analysis of the network
– Develop relevant and comprehensive security policies
Designing a Wireless DMZ (cont’d.)
A RADIUS server can be used to provide authentication at an access
point.
Specific Operating System Design
• Designing a Windows-Based DMZ
–
–
–
–
–
Select all the needed networking hardware
Scale up the number of connections to the Internet
Add more bandwidth and site-to-site VPN services
Set up a load-balanced solution
Make sure that users can obtain the information they
need
– Segment Internet-based resources via the DMZ for an
added level of safety
– Finalize the network layout
Specific Operating System Design (cont’d.)
• Precautions for DMZ Setup
– Designer should consider other possible access to and
from the DMZ
• Security Analysis for the DMZ
– After the DMZ network segment design is finalized
and the systems are placed where they need to be,
the security of such systems should be taken into
account
• ISA Server Support to DMZ Configuration
– ISA firewall network needs to be created for the
wireless DMZ segment
– ISA firewall networks are defined depending on pernetwork interfaces
Specific Operating System Design (cont’d.)
• Designing a Sun Solaris DMZ
– Features include zones, ZFS, and Reduced Networking
Software Group
– Placement of Servers
• Depends on network requirements
• Smaller networks generally place the DMZ server directly
behind the router
– Advanced Implementation of a Solaris DMZ Server
• See Figure 5-17
– Solaris DMZ Servers in a Conceptual Highly Available
Configuration
• See Figure 5-18
Specific Operating System Design (cont’d.)
places a switch between the router and the DMZ server.
Specific Operating System Design (cont’d.)
In this conceptual Solaris configuration,
three DMZs are connected to the external network switch.
Specific Operating System Design (cont’d.)
• Designing a Sun Solaris DMZ (cont’d.)
– Private and Public Network Firewall Rule Set
• Private Network Rules
• Public Network Rules
– DMZ Server Firewall Rule Set
• Generally, the best policy is to deny all traffic to the
host from all systems
– Solaris DMZ System Design (phases)
• Planning
• Implementation
• Maintenance
Specific Operating System Design (cont’d.)
• Designing a Sun Solaris DMZ (cont’d.)
– Hardening Checklists for DMZ Servers and Solaris
• Has a model or diagram of the host been made?
• Is the host physically secured?
• Designing a Linux DMZ
– Ethernet Interface Requirements and Configuration
– Traffic Routing Between Public and DMZ Servers
– Protecting Internet Servers (Using DMZ Networks)
• Disable all unnecessary services
• Run services “chrooted” whenever possible
• Use Firewall Security Policy and Anti-IP-Spoofing Features
Specific Operating System Design (cont’d.)
A common Linux DMZ configuration uses a Linux firewall and three
Ethernet cards.
DMZ Router Security Best Practices
• Checklist for ensuring router security:
– Authenticate routing updates on dynamic routing
protocols
– Use ACLs to protect network resources and prevent
address spoofing
– Secure the management interfaces
– Lock down the router services
– Disable interface-related services
– Disable unneeded services
– Keep up to date on IOS bug fixes and vulnerabilities
DMZ Switch Security Best Practices
• Checklist to follow to ensure switch security:
–
–
–
–
Secure the management interfaces
Lock down the switch services
Disable unneeded services
Use VLANs to logically segment a switch and PVLANs
to isolate hosts on a VLAN
– Use port security to secure the input to an interface
by limiting and identifying the MAC addresses of hosts
that are allowed to access the port
– Do not use VTP on DMZ switches
– Keep up to date on IOS bug fixes and vulnerabilities,
and upgrade if necessary
Six Ways to Stop Data Leaks
• Consider:
–
–
–
–
–
–
Get a handle on the data
Monitor content in motion
Keep an eye on databases
Limit user privileges
Cover those endpoints
Centralize intellectual property data
• Tool: Reconnex
– Enables an organization to protect all information
assets on its network without requiring up-front
knowledge of what needs to be protected
Summary
• A DMZ functions as a “neutral zone” between an
internal and external network
• Multitiered firewalls are often used when there is
a need to provide more than one type of service
to the public
• DMZ designers should be aware of protocol
vulnerabilities
• It is generally inappropriate to locate a RADIUS or
TACACS+ server in a DMZ segment
• DMZs for wireless networks must be set up with
certain conditions in mind
Summary (cont’d.)
• A three-homed firewall DMZ handles the traffic
between the internal network and firewall, as
well as the traffic between the firewall and DMZ
• A site survey can be conducted to determine the
proper number of access points needed based on
the expected number of users and the specific
environment for a WLAN
• Authentication may not be desired if a network is
publicly accessible
• An access point is a layer-2 device that serves as
an interface between the wireless network and
the wired network