Re: DMZ - Question

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-10-26 hol64 () hotmail com wrote:
> I have to setup a DMZ on our network. Our current layout is Internet
> Router <--> Firewall <--> WAN/LAN Router <--> Servers
>
> The idea is to setup a back-to-back DMZ or Dual Firewall DMZ. So the
> topology would be like this.. Internet Router --> FW-1 <--> DMZ <-->
> FW-2 <--> WAN/LAN router. 
>
> On the DMZ we will have a Web Server that needs access back to the
> Mainframe on the LAN, and a Mail server that need access to another
> mail server on the LAN.

Bad idea. You don't want hosts in the DMZ to be able to establish
connections into the LAN. That would be breaking the concept of a DMZ
(allow connections from a network with higher security level to a
network with lower security level, but not vice versa).

There are several ways to deal with this problem, e.g. replicate the
information from the servers into the DMZ, use bastion hosts, or put
the servers from the LAN into a second DMZ.

> One of my questions is the DMZ is in a /24 subnet and the LAN is on a
> /16 subnet. Is the only way for the web server in the DMZ to
> communicate with the inside LAN by NATting in the FW-2. Isn't this
> creating a double subnet from the outside??

Actually the subnets don't matter at all, as long as you're using
differnet address ranges for both networks. Of course you can do
double-NAT, but usually that won't be necessary. Even if both networks
have private IP addresses, you can route between LAN and DMZ as long as
you do NAT towards the Internet.

What address ranges are we talking about, anyway?

> I am working with 2 pix firewalls, and I am hoping to change FW-2 to a
> different brand that has stateful inspection.

Ummm... AFAIK PIXs do stateful inspection.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq