“DMZ In a Box”

Download Report

Transcript “DMZ In a Box”

“DMZ In a Box”
What is a DMZ?
• As a military term
• As a computing term
DMZ Knowledge
• Stands for Demilitarized Zone, harks back to the
Vietnam DMZ / 17th Parallel
• It’s considered “a network sitting between two
networks”
– Not part of the internal network nor directly part of the
internet
• Used to house public services (mail, web, vpn,
ftp, etc.)
• Machines in the DMZ should be considered less
secure then those on the LAN
DMZ Diagram
(wikipedia.com sourced)
Firewalls
• What is a firewall?
– A program or hardware device that filters information coming through
one network to another (typically from the internet to private network).
• How do you manage it?
– Admins can allow traffic over specific ports/port ranges for both TCP
and UDP traffic. These rules/policies could apply for individual
machines or entire groups of machines.
• How do they control traffic?
– Three typical ways: Packet filtering, Proxy service, and Stateful
Inspection
– Packet Filtering: packets are analyzed against filters/rules
– Proxy service: requests to internet are subverted to proxy who fetches
information and returns it to the requesting client
– Stateful Inspection: Examines certain parts of packet and ranks it
against known database of trusted information. Information is inspected
going out to the internet and then as the response travels back to the
network, if it’s deemed trusted by the database it’s allowed to pass.
Firewall Topologies
• Bastion Host
Internet
– One host filters all
traffic between the
internal network and
the Internet
• Good for *simple*
networks with no
public services
hosted.
• Issues? Benefits?
Internal Network
Firewall Topologies
Three-homed firewall
– A server with three NICs
acts as a packet filter
between the corporate
intranet and the internet.
– Advantages?
– Disadvantages?
Ex.
nic 1 == Internal Traffic
nic 2 == DMZ network
nic 3 == Internet Traffic
aka triple-homed firewall,
screened subnet firewall
Firewall
Appliance
Internet
Internal Network
DMZ
Firewall Topologies
Internet
Back-to-Back Firewall
• Two firewalls are
used to contain the
DMZ from both the
Internet and Internal
network
• More secure
– Why?
• Downsides to this?
DMZ
Internal Network
DMZ Topologies
• Beyond the back-to-back firewall
– Use of more NIC’s to create zones
– Use of more firewalls to create multiple DMZ’s
– VLANs to create zones within DMZ
Going Virtual
• To create a DMZ
in a Box we need
to use virtual
machines.
• Let’s do a crash
course in VMware
Networking 
Of note…
• VMware users two assigned Vendor ID ranges:
– 00:0c:29:*:*:*
– 00:50:56:*:*:*
• MAC addresses for Virtual Machines are
calculated based on the physical machine’s
UUID and some file locations.
• Can use a static MAC, coded into config file.
• Internal network traffic between virtual NICs
occurs with NO collisions and at faster than
gigabit speeds.
DMZ at Work
• What we do…
• Two Dell servers with VMware software
installed:
– Virtualized 14 physical servers into VM’s
• Two Cisco PIX (Private Internet Exchange)
firewalls in the back-to-back configuration
• Various VLAN implementations also in play
• 8U of rack space versus 35U consumption of
former non-virtual DMZ. Less power, less
cooling required, less maintenance, less service
contracts.
The Main Attraction
Technology Behind the Example
•
VMware Workstation 5.5
–
–
“DMZ” created virtually within
Workstation
Consists of:
•
•
•
•
•
•
•
Freesco Linux Router
–
–
–
–
•
Internet
One Router
One Windows XP host within the DMZ
One Linux host within the DMZ
DMZ Network = 192.168.2.x
GW = 192.168.1.1
Firewalls IP = DHCP assigned
(hopefully)
http://freesco.org/
Open source linux alternative to Cisco
appliance
Runs off a floppy!
Simple!
My DMZ is somewhat cheesy. I know.
–
–
Simply a Bastion topology DMZ
Some quirks
Internal Network
Whiteboard Exercise
• What would this look like with physical
hardware…?
– In lieu of a Visio diagram lets visit the
Whiteboard
Demo Time