I’ve seen my fair share of networks that are solid on the outside, but soft on the inside. But I’ve also seen a handful of networks that are solid throughout. It starts with a well managed firewall at the edge, a strict inbound (Internet) network policy, at least one DMZ, and sometimes an additional firewall inside the private network.
In small to medium businesses (SMBs) there’s often push back regarding the deployment of a DMZ. Admittedly, if the network, and applications that sit on top of it, were not designed with “least privilege” in mind from the start, a moderate degree of effort, plus some additional hardware will be required. You might even need some third-party assistance. This translates to both effort and cost, which puts people off pretty fast. So what’s the real driver behind a DMZ, or internal firewall, for that matter?
Reduce the attack surface,
isolate threats, & protect high value assets
You'd never put a production Apache or IIS web server outside
the firewall (I hope!) There’s too many services
exposed and therefore too much risk, or potential for damage. So
you put those assets behind the firewall and only allow public access using HTTP. By ensuring the web server is patched and the
application is free of OWASP type bugs, you further reduce the risk associated with a break-in. So far so good.
Now here's the risky part -- your Internet website is directly connected to your private LAN. In fact, it shares the same subnet as your internal servers and workstations. When Internet users (and hackers) view your website, those requests travel through your firewall where they are processed by the web server on your private network… the same network where your employees access personal information… the same network where HIPAA or PCI data may be stored in a database.
Depending on your business risk, allowing public Internet
traffic to connect to hosts on your private network is like letting bank
customers do business inside the vault. Every once and while, a thief is going
to get in; by the time it is noticed, it could be too late. In network security terms, I am referring to
a cyber-criminal or malicious process finding a weakness in the web server that sits on your private LAN. By the time you realize you’ve been hacked,
it’s too late. The intruder is already on your
network with un-firewalled
access to your internal servers,
workstations, and devices. It's trivial at this point to install
keystroke loggers, sniffers, or a backdoor that lets the intruder
secretly slip back into your network if he's discovered.
By connecting the web server to the DMZ switch, versus the private LAN, you can restrict potential intruders to the DMZ only. In the case of web server that communicates with a backend file server or database, you'll need to poke some holes to allow that traffic from the DMZ to the private LAN. Does this weaken the model? Yes, but not significantly. After all, the point of the firewall isn’t to block everything but to strictly allow what is required to support business applications and services. This means permitting traffic from specific systems on the DMZ to a handful of internal hosts and specific ports.
Rarely do the cost savings, convenience, and ease of not having DMZ outweigh the potential damage from a break-in. The key take away from this post is to reduce your attack surface, isolate threats, and protect high value assets. A rapid and cost effective method to achieve this is with the proper deployment and management of network access restrictions, typically using a firewall or VLAN ACL.
As always, your feedback is welcomed.
Si
Comments