Designing and Using DMZ Networks to Protect Internet Servers

Mick explains how to care for services that come into contact with untrusted networks.
Use your firewall's security policy and anti-IP-spoofing features.

Naturally, you want to carefully restrict traffic from the outside world to the DMZ. But it's equally important to carefully restrict traffic from the DMZ to your internal network (to protect it in the event that a DMZ host is compromised) and from the DMZ to the outside world (to prevent a compromised DMZ host from being used to attack other networks).

It goes without saying that you'll probably want to block all traffic from the Internet to internal hosts. (You may or may not feel a need to restrict traffic from the internal network to the DMZ, depending on what type of access internal users really need to DMZ hosts and how much you trust internal users.) In any event, your firewall-security policy will be much more effective if your firewall can distinguish between legitimate and phony source-IP addresses. Otherwise, it might be possible for an external user to slip packets through the firewall by forging internal source IPs.

By default, most firewalls don't have this functionality enabled (the feature is usually called something like anti-IP-spoofing. Even if your firewall supports it, you'll probably have to configure and start it yourself. It's well worth the effort, though.

Mick Bauer (mick@visi.com) is security practice lead at the Minneapolis bureau of ENRGI, a network engineering and consulting firm. He's been a Linux devotee since 1995 and an OpenBSD zealot since 1997, taking particular pleasure in getting these cutting-edge operating systems to run on obsolete junk. Mick welcomes questions, comments and greetings.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Paranoid Penguin: Designing and Using DMZ Networks to Protec

Saran's picture

This article is very fine, actually i want to implement the three hommed dmz. Will you please help me for that... I am using Redhat 6.2. I have three cards in my firewall machine. One for intranet, one for internet (i have the static ip), and another one for DMZ. I want to know how to configure the firewall machine for achive that. Except my linux firewall machine all are the machines are windows NT/2000. I want to communicate the DMZ mc to intranet mc and intranet to DMZ, for that purpose how to allocate the ip address and subnet mask for the internet and dmz machines. Intranet and DMZ machines are connected in seprate switches.

Re: Paranoid Penguin: Designing and Using DMZ Networks to Protec

Anonymous's picture

I learnt a lot from this - but still have this question - how do I link internal servers (database usually) to DMZ servers (Web linking to DMZ database). ie the DMZ DB servers contain a subset of internal data - but will also need to update internal db servers with results of web interactions with customers.

ie an Extranet(?)

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix