Penetration testing Security Analysis and Advanced Tools: Designing a DMZ Introduction to Designing a DMZ • DMZ (demilitarized zone) – Computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network – Network construct that provides secure segregation of networks that host services for users, visitors, or partners • DMZ use has become a necessary method of providing a multilayered, defense-in-depth approach to security Introduction to Designing a DMZ (cont’d.) Firewalls are essential for the secure segregation of networks. DMZ Concepts • DMZ has proven to be more secure and to offer multiple layers of protection for the security of the protected networks and machines • Bastion host – Device in a DMZ that is built to withstand attacks • Multitiered Firewall with a DMZ Flow – DMZ is established, separated, and protected from both the internal and external networks DMZ Concepts (cont’d.) A multitiered firewall is useful for protection from both internal and external networks. DMZ Design Fundamentals • DMZ designs generally consist of – Firewalls and segments that are protected from each other by firewall rules and routing as well as the use of RFC 1918 addressing on the internal network • Design of the DMZ is critically important to the overall protection of the internal network • Access control lists (ACLs) – Determine who is allowed access to an item in a network and how that item can be used • DMZ Protocols – See next slide DMZ Design Fundamentals (cont’d.) Certain protocols are vulnerable to attack and should be used with caution. Advanced Design Concepts • Internal Network Access – Consider the methods that might be used to provide VPN services – Limit or restrict outbound traffic from the internal network to inappropriate services – Provide for out-of-band management capabilities • Remote Administration – Extremely tempting to use the built-in capabilities of the various operating systems and the management software provided for many hardware devices – It is very important to thoroughly review alternatives Advanced Design Concepts (cont’d.) • Authentication – Generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment – It might be necessary to implement a plan to accommodate the authentication of users entering the DMZ from a public network – DMZ design should include a separate authentication DMZ segment • Equipment in that segment should be hardened DMZ Architecture • Inside-Versus-Outside Architecture – Packet-filtering routers act as initial line of defense • Three-Homed Firewall Architecture – DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • Weak-Screened Subnet Architecture – Used when routers have better high-bandwidth datastream handling capacity • Strong-Screened Subnet Architecture – Both the DMZ and the internal networks are protected by a well-functioning firewall Designing a DMZ Using IPtables The inside and outside firewalls in a DMZ serve multiple functions. Designing a Wireless DMZ • Categories of attacks on wireless networks: – – – – Passive attacks Active attacks Man-in-the-middle attacks Jamming attacks • Placement of Wireless Equipment – Depends on needed accessibility area for the WLAN • Access to DMZ and Authentication Considerations – Access to DMZ Services – Authentication Considerations Designing a Wireless DMZ (cont’d.) • Wireless DMZ Components – – – – – Access Points Network Adapters Authentication Servers Enterprise Wireless Gateways and Wireless Gateways Firewalls and Screening Routers • Wireless DMZ Using RADIUS to Authenticate Users – See Figure 5-12 • WLAN DMZ security best practices include – Perform a risk analysis of the network – Develop relevant and comprehensive security policies Designing a Wireless DMZ (cont’d.) A RADIUS server can be used to provide authentication at an access point. Specific Operating System Design • Designing a Windows-Based DMZ – – – – – Select all the needed networking hardware Scale up the number of connections to the Internet Add more bandwidth and site-to-site VPN services Set up a load-balanced solution Make sure that users can obtain the information they need – Segment Internet-based resources via the DMZ for an added level of safety – Finalize the network layout Specific Operating System Design (cont’d.) • Precautions for DMZ Setup – Designer should consider other possible access to and from the DMZ • Security Analysis for the DMZ – After the DMZ network segment design is finalized and the systems are placed where they need to be, the security of such systems should be taken into account • ISA Server Support to DMZ Configuration – ISA firewall network needs to be created for the wireless DMZ segment – ISA firewall networks are defined depending on pernetwork interfaces Specific Operating System Design (cont’d.) • Designing a Sun Solaris DMZ – Features include zones, ZFS, and Reduced Networking Software Group – Placement of Servers • Depends on network requirements • Smaller networks generally place the DMZ server directly behind the router – Advanced Implementation of a Solaris DMZ Server • See Figure 5-17 – Solaris DMZ Servers in a Conceptual Highly Available Configuration • See Figure 5-18 Specific Operating System Design (cont’d.) places a switch between the router and the DMZ server. Specific Operating System Design (cont’d.) In this conceptual Solaris configuration, three DMZs are connected to the external network switch. Specific Operating System Design (cont’d.) • Designing a Sun Solaris DMZ (cont’d.) – Private and Public Network Firewall Rule Set • Private Network Rules • Public Network Rules – DMZ Server Firewall Rule Set • Generally, the best policy is to deny all traffic to the host from all systems – Solaris DMZ System Design (phases) • Planning • Implementation • Maintenance Specific Operating System Design (cont’d.) • Designing a Sun Solaris DMZ (cont’d.) – Hardening Checklists for DMZ Servers and Solaris • Has a model or diagram of the host been made? • Is the host physically secured? • Designing a Linux DMZ – Ethernet Interface Requirements and Configuration – Traffic Routing Between Public and DMZ Servers – Protecting Internet Servers (Using DMZ Networks) • Disable all unnecessary services • Run services “chrooted” whenever possible • Use Firewall Security Policy and Anti-IP-Spoofing Features Specific Operating System Design (cont’d.) A common Linux DMZ configuration uses a Linux firewall and three Ethernet cards. DMZ Router Security Best Practices • Checklist for ensuring router security: – Authenticate routing updates on dynamic routing protocols – Use ACLs to protect network resources and prevent address spoofing – Secure the management interfaces – Lock down the router services – Disable interface-related services – Disable unneeded services – Keep up to date on IOS bug fixes and vulnerabilities DMZ Switch Security Best Practices • Checklist to follow to ensure switch security: – – – – Secure the management interfaces Lock down the switch services Disable unneeded services Use VLANs to logically segment a switch and PVLANs to isolate hosts on a VLAN – Use port security to secure the input to an interface by limiting and identifying the MAC addresses of hosts that are allowed to access the port – Do not use VTP on DMZ switches – Keep up to date on IOS bug fixes and vulnerabilities, and upgrade if necessary Six Ways to Stop Data Leaks • Consider: – – – – – – Get a handle on the data Monitor content in motion Keep an eye on databases Limit user privileges Cover those endpoints Centralize intellectual property data • Tool: Reconnex – Enables an organization to protect all information assets on its network without requiring up-front knowledge of what needs to be protected Summary • A DMZ functions as a “neutral zone” between an internal and external network • Multitiered firewalls are often used when there is a need to provide more than one type of service to the public • DMZ designers should be aware of protocol vulnerabilities • It is generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment • DMZs for wireless networks must be set up with certain conditions in mind Summary (cont’d.) • A three-homed firewall DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN • Authentication may not be desired if a network is publicly accessible • An access point is a layer-2 device that serves as an interface between the wireless network and the wired network