Many organizations don't implement a demilitarized zone (DMZ) in their networks. Instead, they locate their public servers (e.g., Web servers) on the same internal network as the rest of the organization's servers and workstations. Without a DMZ to separate your publicly accessible servers from your internal LAN, you're exposing your internal network to added risk. When an attacker gains control of your Web server, that person can use it to attack sensitive resources (e.g., financial applications, file servers) in your internal network. Notice that I said when and not if. No matter how securely you lock down a Web server, you should count on its compromise and design your network and processes to minimize damage and ensure their quick restoration. One such strategy is compartmentalization, and one tactical component of compartmentalization is implementing a DMZ.
When you implement a DMZ, you create two physically separate networks: one network for public servers and one network for all internal servers and workstations. Depending on the type of DMZ, one or more firewalls enforce routing policies specific to each network and strictly control access between
- the Internet and the DMZ
- the Internet and the internal network
- the DMZ and the internal network
The main advantage of implementing a DMZ instead of just using a firewall is that when an attacker compromises a public server, the risk to the internal servers is reduced because the public servers and internal servers are separate from each other. When the compromised server resides in a DMZ, the attacker isn't able to directly attack other more-sensitive servers on the internal network. The firewall blocks any attempt by the DMZ computers to connect to internal computers, except for specifically allowed connections. For example, you might configure your firewall to let the Web server in the DMZ connect to an internal Microsoft SQL Server machine through a specific TCP port. If an intruder compromises the Web server, he or she might be able to attack the SQL Server machine on that port. However, the intruder won't be able to attack the SQL Server machine's other services and ports or other computers on the internal network.
Implementing a DMZ has other advantages as well. Those advantages include the following:
- The intrusion-detection, content-filtering, and application-level monitoring capabilities that your firewall provides protect your internal network from attacks that originate not only from the Internet but also from a compromised computer in a DMZ. (If the compromised computer is in the DMZ instead of the internal network, the attacker will have to penetrate the firewall again to get into the internal network.)
- The DMZ adds another layer of protection against attackers reaching any ports you inadvertently leave open on your public servers.
- The DMZ lets you control outgoing traffic so that you can stop worms that use your Web server to attack others or stop intruders from using Trivial FTP (TFTP) on the Web server to grab their tools.
- The DMZ lets you limit access to administrative services, such as Windows 2000 Server Terminal Services.
- The DMZ protects servers from Address Resolution Protocol (ARP) spoofing attacks.
Although the advantages are many, you might pay a performance penalty for putting a firewall between your public servers and the Internet. Depending on bandwidth, firewall hardware, traffic levels, and many other factors, you might not notice the difference. However, some high volume sites simply can't afford the performance penalty and must rely solely on hardening the Web server and passive network Intrusion Detection Systems (IDSs).
Now that you know the advantages and disadvantages of implementing a DMZ, let's look at the considerations involved in deciding which kind of DMZ to implement. In addition, you need to be aware of some significant technical caveats before you design a DMZ. In this discussion, I explore how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 to design a DMZ, but you can extend the principles to other firewalls. If you're unfamiliar with ISA Server, see the sidebar "Installing and Using ISA Server as a Firewall" for an overview.
The Types of DMZs
DMZs come in two types: three homed and back to back. A three-homed DMZ, which Figure 1, page 12, shows, consists of one ISA Server computer (i.e., firewall) with three NICs. The NICs connect the firewall to the Internet, the DMZ network, and the internal network. If you have the budget for another server and ISA Server license, you can implement a back-to-back DMZ. In this type of DMZ, one ISA Server machine (i.e., outer firewall) connects the Internet to the DMZ and another ISA Server machine (inner firewall) connects the DMZ to the internal network, as Figure 2, page 13, shows. Because the back-to-back DMZ has two firewalls that an intruder must infiltrate, it provides a higher level of protection for your internal network than the three-homed DMZ. Other differences between the two DMZ styles lie in protection for the public servers and cost. Some technical problems with IP addressing and certificates might also be factor in your decision of which style to choose.
The Three-Homed DMZ
The three-homed DMZ is the least expensive to implement because you need only one server, one Win2K license, one ISA Server license, three NICs, a hub or switch for the DMZ segment, and possibly public IP addresses for the servers in the DMZ. However, ISA Server has some important limitations associated with implementing a three-homed DMZ. ISA Server lets you designate only one network as an internal network with full protection. In addition, the three-homed DMZ provides application-level inspection for only the computers in the internal network. In other words, ISA Server's features for application-level inspection of HTTP, FTP, SMTP, POP3, and Microsoft Exchange Server remote procedure calls (RPCs) aren't available for computers in the three-homed DMZ. ISA Server offers only classic packet-filtering features for computers in the DMZ.
You designate the internal network by entering the appropriate IP address ranges in ISA Server's Local Address Table (LAT). Because ISA Server lets you enter only one LAT, you can only provide full protection to just one network—your internal network.
Prev. page
[1]
2
3
next page 
