Académique Documents
Professionnel Documents
Culture Documents
Module 7
Designing a DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
•DMZ Concepts
•DMZ
DMZ DDesign
i F Fundamentals
d t l
•Security Analysis for the DMZ
•Designing Windows DMZ
•Designing
Designing Sun Solaris DMZ
•Designing WLAN DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction
It prevents outside users from getting direct access to the company’s server/network.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Concepts
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Multitiered Firewall with a
DMZ Flow
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Design Fundamentals
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of Firewall and
DMZ Architectures
Firewall and DMZ architectures are differentiated according
g
to the design.
• "Inside
s de vs. Outs
Outside"
de Architecture.
c tectu e.
• "Three-Homed Firewall" DMZ Architecture.
• Weak Screened-Subnet Architecture.
• Strong Screened-Subnet Architecture.
Architecture
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Inside vs. Outside"
Architecture
In this architecture, packet-filtering router acts as the initial line of
d f
defense.
The drawback of this architecture is that SMTP, DNS, and HTTP must
pass through the firewall or internal servers or hosted on the firewall.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Inside vs. Outside"
Architecture (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Three-Homed Firewall"
DMZ Architecture
A three-homed
three homed firewall DMZ network can be accessed by the public;
but it is isolated from the internal network.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Three-Homed Firewall"
DMZ Architecture (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Weak Screened Subnet
Architecture
Weak screened subnet architecture is used when routers have better
high-bandwidth data streams handling capacity.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Strong Screened Subnet
Architecture
Strong
g screened subnet architecture is useful as it
supports high volume traffic.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Strong Screened Subnet
Architecture (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing DMZ Using IPtables
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables
A system for public access can be designed using two firewall systems.
It allows the use of one public IP address to provide access to several different
Internet servers.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables (cont
(cont’d)
d)
# FORWARD: Enable Forwarding and thus IPMASQ
# Allo
Allow all connections OUT and onl
only e
existing/related
isting/related IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables
ptab es -A FORWARD
O -i $$INTIF -o
o $
$EXTIF -j
j ACCEPT
CC
# Allow forwarding of incoming Port 80 traffic to DMZ Web
server iptables -A FORWARD -i $EXTIF -o $INTIF -d
192.168.1.6 -p tcp --dport 80 -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF iptables -
t nat
t -A
A POSTROUTING -o $EXTIF -jj SNAT --to
t $EXTIP
# Enable DNAT port translation to DMZ Web server iptables -t
nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j
DNAT --to
to 192.168.1.6
echo -e " Firewall server rule loading complete\n\n"
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables (cont
(cont’d)
d)
Inside firewall restricts outgoing traffic to only those services that are
allowed for the isolated network access.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Windows DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Windows DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Windows DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Precautions for DMZ Setup
Servers on the DMZ shouldn’t contain sensitive trade secrets, source code,
proprietary information.
information
Thee following
o o g co
components
po e s may
ay reside
es de in DMZ:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Analysis for the DMZ
Zone 1:
• Zone 1 is most vulnerable to
exploitation.
• Zone 1 is where you need to consider
your externall router and
d switch
i h security
i
as well as the outside port of your
firewall.
• Zone 1 is where you would consider
placing your network-based IDS.
Zone 2:
• It is
i the
h actuall DMZ.
• The DMZ is where we have placed our
Windows 2000 servers and the services
they offer, such as external DNS and
web services.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to
DMZ Configuration
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to DMZ
Configuration (cont
(cont’d)
d)
P f
Perform the
th following
f ll i steps
t to
t create
t the
th DMZ ISA fi
firewall
ll network:
t k
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to DMZ
Configuration (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to DMZ
Configuration (cont
(cont’d)
d)
• Click Next on the Network Addresses page.
• Click
Cli k Fi
Finish
i h on the
th Completing
C l ti th
the NNew N Network
t k Wi
Wizard
d page.
• The new ISA firewall Network appears in the list of Networks on the
Networks tab.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Sun Solaris DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Placement of Servers
Smaller networks
generally
ll place
l th
the
DMZ server directly
behind the router.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advanced Implementation
of a Solaris DMZ Server
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Solaris DMZ Servers in a Conceptual
Highly Available Configuration
Rules Implemented on the Solaris DMZ Server Rules Implemented on the DMZ
for Private Network Traffic Server for the Public Network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMA Server
Firewall Ruleset
Ideal implementation keeps the DMZ host unreachable from all systems except the
system from which remote administration may be performed.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Solaris DMZ System Design
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hardening Checklists
for DMZ Servers and Solaris
H increased
Has i d llogging
i off system
t activity
ti it bbeen iimplemented?
l t d?
H
Have all
ll unnecessary processes b
been di
disabled?
bl d?
Has the firewall rule policy been implemented for the host?
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Placement of Wireless
Equipment
A wall can block signal or interference from other 2.4GHz
devices,, such as cordless p
phones and microwaves,, or other
access points might cause too much noise and effectively
cancel out your signal.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Access to DMZ and
Authentication Considerations
Use network cards and access points supporting new WPA2 standard.
• WEP
• EAP and 802.1x
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless DMZ Components
• SSH2 servers
• VPN servers
• Virtual LANs (VLANs)
• Layer 3 switches
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless DMZ using RADIUS
to Authenticate Users
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WLAN DMZ Security
Best Practices
Review available security features of wireless devices to see if they fulfill your
securityy requirements.
q
The 802.11 and Wi-Fi standards specify only a subset of features that are
available on a wide range of devices.
Check the wireless vendors’ websites frequently for firmware updates and apply
them to all wireless devices.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WLAN DMZ Security
Best Practices (cont
(cont’d)
d)
Do not put any kind of identifying information in the SSID, such as the
company name,
name address,
address products,
products divisions,
divisions and so on.
on
Try to place it in the center of the building so that interference will hamper the
efforts of.
If possible,
ibl purchase
h an AP that
h allows
ll you to reduce
d the
h size
i off the
h wireless
i l
zone (cell sizing) by changing the power output.
Educate yourself and users in the operation and security of wireless networks
networks.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Linux DMZ
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)
Routing traffic
ff b between a public
bl and
d DMZ server:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)
Multiport
p redirection:
iptables -t
t nat -A
A PREROUTING -p
p tcp -i
i eth1 -d
d 202
202.54.1.1
54 1 1
-m multiport --dport 80,443 -j DNAT --to-destination
192.168.2.3
Drawbacks:
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Router Security
Best Practice
Authenticate routing updates on dynamic routing protocols
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Switch Security
Best Practice
Secure the management interfaces:
• Disable TCP and UDP small services, disable CDP, disable finger
Use VLANs to logically segment a switch and PVLANs to isolate hosts on a VLAN
Do not use VTP on the DMZ switches; configure DMZ switches for transport mode
Keep up to date on IOS bug fixes and vulnerabilities and upgrade if necessary
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Six Ways to Stop Data Leaks
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex
• iGuard appliance:
• Hardened
Hardened, turnkey appliance solution for information monitoring and
protection
• inSight console:
• Centralized interface for managing security policies across multiple iGuard
devices
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex: Features
• Alerting,
g, blocking
g and filtering
g to control what information is being
g
Prevent: sent or stored on the network at all times
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
W have
We h reviewed
i d DMZ concepts and
d the
h fundamentals
f d l off DMZ d
design.
i
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited