DMZ Design #51 - Changing the DMZ design, increasing security, and decreasing complexity

Taking a new approach to DMZ design and implementation can increase security. Addressing some of the short comings with current designs and incorporating many of the new features of (NGF) next generation firewalls. Changes the thought process when it comes to firewalls and DMZ designs and implementation. My science teacher in High School once said There is only 99 ways to skin a cat, after that you just start repeating things in a different order. My teacher used to display Fred the cat, He was skinned and wired up on a piece of wood, for the entire class to see. After examine Fred, I was able to tell how he started the process; the spot on the nick in the fur was the hint to me. I had figured out 50 or so ways to skin the cats, talking and sounding it out with friends at lunch and in class, but the way he did it was completely different, he started with the cut under the neck, right below the chin. He took a complete different approach then I was planning to, but made me question things. Since then I have always question things, looking for the best ways, and then exploring all the other ways to do something. This line has always driven the way I look at things. When it comes to DMZ designs there are many camps, Single layer configuration, Dual layer configurations, and Separated zone configurations, on and on. These are the basics, with many twists that add many more design possibilities. I want to find a solution that not only was best of breed, but flexible and easy to use giving us maximum security and bang for the buck. While playing with the designs and the components, Fred the cat came to mind. Some call it perspective, some call it thinking outside the box, and I call it skinning the cat. Looking at all the different angles and trying to find the spot on the neck of the design where I need to start pealing the layers back and make the changes. The Best Practice is to layer the design, keeping one firewall protected by another and restricting DMZ traffic between the two. This design has some merits, but allows the DMZ to mix traffic with internal traffic causing possible issues and honestly if one firewall is breached, the other will fall pretty quickly. Single arm design is quick and dirty, but doesnt add very much to the overall security very much on its own. Protecting one firewall from inbound traffic while allow another firewall to handle and filter the majority of the traffic adds some value, but only if there is additional filter on both sides. Looking for the different approach (way to do things), the spot to me was in merging the design pulling the best features of all of them. In comes the new way to skin Fred, add another firewall for the DMZ, single arm highly filtering traffic, handling and processing traffic, then passing it on to the other firewall, but filtered, and protected, but here is the kicker, eliminate flow in from the internet on the main firewall, allowing only outbound traffic, this is the chin I was looking for. Key point is to make sure that no traffic flows from the DMZ out to the internet through the internal firewall. Using the DMZ for web services is also part of the key. The landing point for services should be a device in the DMZ, locking down transactions. Use of front-end or edge servers to complete the picture, these devices can even be load balancers or harden web server devices.

Traffic hits the Internet Border Router and is directed to the firewall which is the gateway for the address. DMZ traffic is first filter by the DMZ Firewall and then processed by the front end device (or load balancers); all traffic is terminated in the DMZ at a front end device. Only filtered or redirected traffic, is passed back to the internal network through the NGF device. All traffic is controlled in both directions; with limits on source, destination and protocols/application. Traffic hitting the NGF from the internet is dropped unless the traffic matches an outbound request. This design increases security several ways.

Additional layers of filtering traffic/application Eliminate ingress traffic that is not solicited, unless filtered through DMZ Limiting the possibility of the main firewall being breached or compromised directly from the internet

These key factors allow the configuration to benefit from merging designs and increase the value, (additional value can be extracted by using filtering on the DMZ Switch, limiting traffic between devices). To increase the overall security even more, the NFG needs to supports the following:

IDS/IPS APS/WAF Encryption User Access controls

These additional components integrated lower overall operation cost, but expand the security footprint. All internet based traffic can now be classified and fingerprinted; allowing better over control, management and filtering. The major caveat to this process is that the NGF must truly preform in real time. These functions must be performed as close to real time as possible, otherwise the additional latency leads to the question Why not use separate devices?.

All internet based traffic is now not only filtered and limited, but the traffic is verified in the NGF. One key focus is the DMZ firewall, which could be a NGF or SPI firewall. If traffic entering the DMZ is encrypted, a NGF at the edge of the DMZ does not add a lot of value. Using an NGF at the

Border of the DMZ can eliminate some more exploits and malicious scans, but the value is limited by the cost. There are other countermeasures negate the need for the DMZ firewall to be NGF, unless you get a real good price from the vendor. Encrypting the data from the DMZ into the NGF can add value, eliminating additional points of exploitation. All devices will need to be configured to support this encryption. Many load balancers (F, Kemp Tech to name a few) can handle encryption and decryption which are the best way to go to eliminate potential security issues with servers. These devices will add additional security layers and protect the data behind the scenes.

The following factors should also be considered to increase the overall security of the design: Adding Load Balancer

Using filtering for events Using encrypt/decrypt for traffic source from internet IPS/APS/WAF functionality built in to device
Limit connections totals from source Filter traffic via rules to protect the real data Change backend web services information, advertise wrong header

Route as much traffic through the device (SMTP/FTP/Terminal Server/HTTP/HTTPS)

Blocking at the Border Router

Drop high risk ports/services Blocking connections from countries that are not needed

Limit devices which are installed into DMZ

Harden OS based devices Harden appliances Limited connections to internal network for non-web services functionality

Create sub-DMZ

Sub-DMZ only talks to DMZ devices and Internal network through firewall Cannot talk to or from internet directly

Use of the NGF features, programing the rules based upon application and not ports Configure and use advance features of the NGF and load balancers

Application fingerprinting

A major factor to be understood is the NGF device. True Next Generation Firewall do more than packet filter/inspection, they do a deeper dive into packet and data determining application classification not just rely on port blocking for the protection. The fingerprinting traffic is highly important, as understanding what is actual happening on the wire which is key to increase security. NGF devices need to be able to see the applications making the transactions, are Lime wire, Bit Torrent, or other non-business related applications tunneling through the firewall, passing with any real verification of traffic content? Are social networking allowed, with all the options (Chat, games, mail) for sake of customer service? A true

NGF can block these. I have been playing with Palo Alto network device, and it opened my eyes to what a real firewall should do. It showed me 40+ applications that were being tunneled through port 80 & 443. It showed me all application traffic, and had the ability to block types of application traffic, like Google Docs or Facebook application (mail, games, chat). I have been told that Juniper firewalls will be able to do the same things in the next version, and that Checkpoint can do some of it, (they do 200 application, Palo Alto Networks does over 960), Cisco cannot do anything close, and honestly is just a good SPI firewall, but not a NGF class device. The question is efficiency and cost. How much is it going to cost to do the firewall right This DMZ design is a different way to skin a cat, I call it #51. After all the work with the conceptual designs, it all comes down to will it work, does it make sense and can it be this simple yet effective? I will tell you that there is one major company (Top Company in its field) moving to this DMZ design and several others that are looking at it as an option for increasing security, and limiting complexity. There are many ways to do things, sometimes is not just the difference between right or wrong, but what is the overall objective and goals. Sometimes, the sum of the components makes taking the different path the right choice.

http://www.activewin.com/articles/2010/dmz/index.shtml Published March 3, 2010