Embed Size (px)
Citation preview
“DMZ In a Box”
What is a DMZ?
• As a military term
• As a computing term
DMZ Knowledge
• Stands for Demilitarized Zone, harks back to the Vietnam DMZ / 17th Parallel
• It’s considered “a network sitting between two networks”– Not part of the internal network nor directly part of the
internet
• Used to house public services (mail, web, vpn, ftp, etc.)
• Machines in the DMZ should be considered less secure then those on the LAN
DMZ Diagram (wikipedia.com sourced)
Firewalls• What is a firewall?
– A program or hardware device that filters information coming through one network to another (typically from the internet to private network).
• How do you manage it?– Admins can allow traffic over specific ports/port ranges for both TCP
and UDP traffic. These rules/policies could apply for individual machines or entire groups of machines.
• How do they control traffic?– Three typical ways: Packet filtering, Proxy service, and Stateful
Inspection– Packet Filtering: packets are analyzed against filters/rules– Proxy service: requests to internet are subverted to proxy who fetches
information and returns it to the requesting client– Stateful Inspection: Examines certain parts of packet and ranks it
against known database of trusted information. Information is inspected going out to the internet and then as the response travels back to the network, if it’s deemed trusted by the database it’s allowed to pass.
Firewall Topologies
• Bastion Host– One host filters all
traffic between the internal network and the Internet
• Good for *simple* networks with no public services hosted.
• Issues? Benefits?
Internal Network
Internet
Firewall Topologies
Three-homed firewall– A server with three NICs acts
as a packet filter between the corporate intranet and the internet.
– Advantages?– Disadvantages?
Ex.nic 1 == Internal Traffic
nic 2 == DMZ networknic 3 == Internet
Traffic
aka triple-homed firewall, screened subnet firewall
Internal Network DMZ
Internet
Firewall Appliance
Firewall Topologies
Back-to-Back Firewall• Two firewalls are
used to contain the DMZ from both the Internet and Internal network
• More secure– Why?
• Downsides to this?
Internal Network
DMZ
Internet
DMZ Topologies
• Beyond the back-to-back firewall– Use of more NIC’s to create zones– Use of more firewalls to create multiple DMZ’s– VLANs to create zones within DMZ
Going Virtual
• To create a DMZ in a Box we need to use virtual machines.
• Let’s do a crash course in VMware Networking
Of note…
• VMware users two assigned Vendor ID ranges:– 00:0c:29:*:*:*– 00:50:56:*:*:*
• MAC addresses for Virtual Machines are calculated based on the physical machine’s UUID and some file locations.
• Can use a static MAC, coded into config file.• Internal network traffic between virtual NICs
occurs with NO collisions and at faster than gigabit speeds.
DMZ at Work
• What we do…• Two Dell servers with VMware software
installed:– Virtualized 14 physical servers into VM’s
• Two Cisco PIX (Private Internet Exchange) firewalls in the back-to-back configuration
• Various VLAN implementations also in play• 8U of rack space versus 35U consumption of
former non-virtual DMZ. Less power, less cooling required, less maintenance, less service contracts.
The Main Attraction
Technology Behind the Example• VMware Workstation 5.5
– “DMZ” created virtually within Workstation
– Consists of:• One Router• One Windows XP host within the DMZ• One Linux host within the DMZ• DMZ Network = 192.168.2.x• GW = 192.168.1.1• Firewalls IP = DHCP assigned
(hopefully)
• Freesco Linux Router– http://freesco.org/– Open source linux alternative to Cisco
appliance– Runs off a floppy!– Simple!
• My DMZ is somewhat cheesy. I know.– Simply a Bastion topology DMZ– Some quirks Internal Network
Internet
Whiteboard Exercise
• What would this look like with physical hardware…?– In lieu of a Visio diagram lets visit the
Whiteboard
Demo Time
