Penetration testing

Security Analysis and Advanced Tools:

Designing a DMZ

Introduction to Designing a DMZ

• DMZ (demilitarized zone)– Computer host or small network inserted as a

“neutral zone” between a company’s private network and the outside public network

– Network construct that provides secure segregation of networks that host services for users, visitors, or partners

• DMZ use has become a necessary method of providing a multilayered, defense-in-depth approach to security

Introduction to Designing a DMZ (cont’d.)

Firewalls are essential for the secure segregation of networks.

DMZ Concepts• DMZ has proven to be more secure and to

offer multiple layers of protection for the security of the protected networks and machines

• Bastion host– Device in a DMZ that is built to withstand attacks

• Multitiered Firewall with a DMZ Flow– DMZ is established, separated, and protected from

both the internal and external networks

DMZ Concepts (cont’d.)

A multitiered firewall is useful for protection from both internal and external networks.

DMZ Design Fundamentals• DMZ designs generally consist of– Firewalls and segments that are protected from each

other by firewall rules and routing as well as the use of RFC 1918 addressing on the internal network

• Design of the DMZ is critically important to the overall protection of the internal network

• Access control lists (ACLs)– Determine who is allowed access to an item in a

network and how that item can be used• DMZ Protocols– See next slide

DMZ Design Fundamentals (cont’d.)

Certain protocols are vulnerable to attack and should be used with caution.

Advanced Design Concepts• Internal Network Access– Consider the methods that might be used to provide

VPN services– Limit or restrict outbound traffic from the internal

network to inappropriate services– Provide for out-of-band management capabilities

• Remote Administration– Extremely tempting to use the built-in capabilities of

the various operating systems and the management software provided for many hardware devices

– It is very important to thoroughly review alternatives

Advanced Design Concepts (cont’d.)

• Authentication– Generally inappropriate to locate a RADIUS or

TACACS+ server in a DMZ segment– It might be necessary to implement a plan to

accommodate the authentication of users entering the DMZ from a public network

– DMZ design should include a separate authentication DMZ segment• Equipment in that segment should be hardened

DMZ Architecture• Inside-Versus-Outside Architecture– Packet-filtering routers act as initial line of defense

• Three-Homed Firewall Architecture– DMZ handles the traffic between the internal network

and firewall, as well as the traffic between the firewall and DMZ

• Weak-Screened Subnet Architecture– Used when routers have better high-bandwidth data-

stream handling capacity• Strong-Screened Subnet Architecture– Both the DMZ and the internal networks are

protected by a well-functioning firewall

Designing a DMZ Using IPtables

The inside and outside firewalls in a DMZ serve multiple functions.

Designing a Wireless DMZ• Categories of attacks on wireless networks:– Passive attacks– Active attacks– Man-in-the-middle attacks– Jamming attacks

• Placement of Wireless Equipment– Depends on needed accessibility area for the WLAN

• Access to DMZ and Authentication Considerations– Access to DMZ Services– Authentication Considerations

Designing a Wireless DMZ (cont’d.)

• Wireless DMZ Components– Access Points– Network Adapters– Authentication Servers– Enterprise Wireless Gateways and Wireless Gateways– Firewalls and Screening Routers

• Wireless DMZ Using RADIUS to Authenticate Users– See Figure 5-12

• WLAN DMZ security best practices include– Perform a risk analysis of the network– Develop relevant and comprehensive security policies

Designing a Wireless DMZ (cont’d.)

A RADIUS server can be used to provide authentication at an access point.

Specific Operating System Design

• Designing a Windows-Based DMZ– Select all the needed networking hardware– Scale up the number of connections to the Internet– Add more bandwidth and site-to-site VPN services– Set up a load-balanced solution– Make sure that users can obtain the information they

need– Segment Internet-based resources via the DMZ for an

added level of safety– Finalize the network layout

Specific Operating System Design (cont’d.)

• Precautions for DMZ Setup– Designer should consider other possible access to and

from the DMZ• Security Analysis for the DMZ– After the DMZ network segment design is finalized

and the systems are placed where they need to be, the security of such systems should be taken into account

• ISA Server Support to DMZ Configuration– ISA firewall network needs to be created for the

wireless DMZ segment– ISA firewall networks are defined depending on per-

network interfaces

Specific Operating System Design (cont’d.)

• Designing a Sun Solaris DMZ– Features include zones, ZFS, and Reduced Networking

Software Group– Placement of Servers

• Depends on network requirements• Smaller networks generally place the DMZ server directly

behind the router– Advanced Implementation of a Solaris DMZ Server

• See Figure 5-17– Solaris DMZ Servers in a Conceptual Highly Available

Configuration• See Figure 5-18

Specific Operating System Design (cont’d.)

places a switch between the router and the DMZ server.

Specific Operating System Design (cont’d.)

In this conceptual Solaris configuration,three DMZs are connected to the external network switch.

Specific Operating System Design (cont’d.)

• Designing a Sun Solaris DMZ (cont’d.)– Private and Public Network Firewall Rule Set• Private Network Rules• Public Network Rules

– DMZ Server Firewall Rule Set• Generally, the best policy is to deny all traffic to the

host from all systems– Solaris DMZ System Design (phases)• Planning• Implementation• Maintenance

Specific Operating System Design (cont’d.)

• Designing a Sun Solaris DMZ (cont’d.)– Hardening Checklists for DMZ Servers and Solaris

• Has a model or diagram of the host been made?• Is the host physically secured?

• Designing a Linux DMZ– Ethernet Interface Requirements and Configuration– Traffic Routing Between Public and DMZ Servers– Protecting Internet Servers (Using DMZ Networks)

• Disable all unnecessary services• Run services “chrooted” whenever possible• Use Firewall Security Policy and Anti-IP-Spoofing Features

Specific Operating System Design (cont’d.)

A common Linux DMZ configuration uses a Linux firewall and three Ethernet cards.

DMZ Router Security Best Practices

• Checklist for ensuring router security:– Authenticate routing updates on dynamic routing

protocols– Use ACLs to protect network resources and prevent

address spoofing– Secure the management interfaces– Lock down the router services– Disable interface-related services– Disable unneeded services– Keep up to date on IOS bug fixes and vulnerabilities

DMZ Switch Security Best Practices• Checklist to follow to ensure switch security:– Secure the management interfaces– Lock down the switch services– Disable unneeded services– Use VLANs to logically segment a switch and PVLANs

to isolate hosts on a VLAN– Use port security to secure the input to an interface

by limiting and identifying the MAC addresses of hosts that are allowed to access the port

– Do not use VTP on DMZ switches– Keep up to date on IOS bug fixes and vulnerabilities,

and upgrade if necessary

Six Ways to Stop Data Leaks• Consider:– Get a handle on the data– Monitor content in motion– Keep an eye on databases– Limit user privileges– Cover those endpoints– Centralize intellectual property data

• Tool: Reconnex– Enables an organization to protect all information

assets on its network without requiring up-front knowledge of what needs to be protected

Summary• A DMZ functions as a “neutral zone” between an

internal and external network• Multitiered firewalls are often used when there is

a need to provide more than one type of service to the public

• DMZ designers should be aware of protocol vulnerabilities

• It is generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment

• DMZs for wireless networks must be set up with certain conditions in mind

Summary (cont’d.)• A three-homed firewall DMZ handles the traffic

between the internal network and firewall, as well as the traffic between the firewall and DMZ

• A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN

• Authentication may not be desired if a network is publicly accessible

• An access point is a layer-2 device that serves as an interface between the wireless network and the wired network