Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Rationale of the great DMZ
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 10 Jul 2002 11:38:50 -0500
Readers,

It comes obvious in many situations that these days the interpretation of a
DMZ and its implied security has changed.  Originally, DMZ's were the zoned
area where systems were placed, that, if they were compromised, wouldn't
directly comprise the internal system.  The idea is that systems were placed
in the DMZ were that they should not contain sensitive access points in to
the internal network.  More so, data would be pushed to these systems in the
DMZ and data obtain via some proxied effort.  Network activity wouldn't
necessarily begin from the DMZ and be tunneled in to the internal network.


From what I have seen, the advent of SSL accelerators, hybrid firewalls and

data encryption technology the traditional DMZ is being depleted for a more
trusted zone environment.

Some points I have noted:

(1)     Commonly SSL accelerators terminate the SSL end point prior to the
web services receiving the HTTP data.
(2)     Firewalls are placed between servers and are more passive between
the DMZ and the internal network.
(3)     Certain data like credit card data is encrypted, and since this is
perceived as being secure, more trusted and sensitive data is placed in the
DMZ. without thought to the very nature of how this data could be easily
decrypted, or captured prior to it being stored encrypted.


Some of the issues:
(1)     If the SSL connection is terminated prior to the servers inside the
DMZ, network sniffing is far easier to perform than application hacking to
obtain sensitive data, traversing from the Internet in to the DMZ and fro
the DMZ to the inside corporate network.
(2)     The implicit trust between applications and databases between the
DMZ and the internal network means, that once a compromise has occurred,
tunneling in to the corporate network becomes more easily penetrable.
(3)     As a sites functionality becomes more tightly integrated to the
business, the DMZ notion is weathered to form a perimeter security barrier
and the DMZ part of the internal network.
(4)     The lack of support for SSL on the servers within the DMZ mean s
that more often or not, data is transmitted insecurely from the DMZ to other
networks, be it, Internal or back out the DMZ.
(5)     Cyclical redundancies in network traffic, as VPN's are set up to
obtain data feeds but the feeds terminate on different hardware that is
insecure both at the network through to the application levels.

Is anyone else seeing this trend, particularly as e-commerce strives to
fulfill the management and marketing expectation of reporting functionality?

Cheers
Richard

Richard Scott
Information Security
Tel: (001) -952-324-0697
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]