constructing a DMZ
15 years 6 months ago #30326
by sose
sose
Network Engineer
analysethis.co/index.php/forum/index
constructing a DMZ was created by sose
I yanked this from a trend in this forum
The purpose of a DMZ is to provide an isolated zone for hosts/servers and devices that need to be accessed from the internet/outside world but also separated for security reasons from your internal network. DMZ could be implemented with a PC with three NIC cards. Having gotten that, you'll need to configure the operating system on the PC to allow routing between the tree cards, then configure the firewall software to allow and restrict the traffic as appropriate. A couple of things here: First of all I would strongly recommend that you use a dedicated PC for this - don't try to do server or other tasks on it as well, just let it be the DMZ firewall. And secondly, you could go for one of the easy-to-use ready built firewall implementations like IPCop. I know this isn't Windows based, but if you have any old PC lying around you can install it easily, set up is simple and you can be sure it's going to work.
But let’s go down to some specifics. As I mentioned, the basic concept is to take a pc running a 'hardened OS' (one runs no services except the firewall), usually equipped with three (3) NICS. One for the 'outside' (if you use this arrangement to replace your normal router/firewall/switch device) it should be hooked directly to your providers incoming line. Call this Zone 0. One for the DMZ, this one can be hooked to another switch/hub or directly to the server device you want the outside world to be able to access. Call this Zone 1. The third and last interface is for your internal network. It can (the DMZ) be hooked into a switch/router in order to maintain your internal LAN. Call this Zone 2. That should give you a basic diagram (when converted from words) of how the box both looks and interfaces between your provider and your internal network. Now you get to the real business, which is what the learning is all about, right? Zone 0. Should be set to acquire an IP address from the provider, i.e. setup for DHCP. It should also act as your 'master DNS relayer. What this means is that all your internal and DMZ machines will query this interface to do DNS resolutions. Zone 1. This should be setup with a static IP address. I recommend using something in the 10.0.0.X range for DMZ machines. This will handle all of the machines in your DMZ.
Zone 2. This should be setup with a static address (something in the 192.168.0.X range), further it should be setup to do DNS Relays for any machines in your LAN. It should also be setup to hand out DHCP for your internal LAN. From here you get to build your firewall rules using whichever flavor of implementation you choose. Key to the entire approach is this. As the Zone # increases you want more controls in place. This prohibits traffic flow. This is basically what a firewall does. Using this approach can be cumbersome unless you have some fundamental background in security concepts. However it gives you a great deal of flexibility and doesn't cost as much as a true hardware-based solution does.
my questions
1how do you configure routing within the 3 NIC or is it automatic ?
2 there is DHCP configuration in zone 0 and zone 2, wont there be conflict ?
any other observations ?
The purpose of a DMZ is to provide an isolated zone for hosts/servers and devices that need to be accessed from the internet/outside world but also separated for security reasons from your internal network. DMZ could be implemented with a PC with three NIC cards. Having gotten that, you'll need to configure the operating system on the PC to allow routing between the tree cards, then configure the firewall software to allow and restrict the traffic as appropriate. A couple of things here: First of all I would strongly recommend that you use a dedicated PC for this - don't try to do server or other tasks on it as well, just let it be the DMZ firewall. And secondly, you could go for one of the easy-to-use ready built firewall implementations like IPCop. I know this isn't Windows based, but if you have any old PC lying around you can install it easily, set up is simple and you can be sure it's going to work.
But let’s go down to some specifics. As I mentioned, the basic concept is to take a pc running a 'hardened OS' (one runs no services except the firewall), usually equipped with three (3) NICS. One for the 'outside' (if you use this arrangement to replace your normal router/firewall/switch device) it should be hooked directly to your providers incoming line. Call this Zone 0. One for the DMZ, this one can be hooked to another switch/hub or directly to the server device you want the outside world to be able to access. Call this Zone 1. The third and last interface is for your internal network. It can (the DMZ) be hooked into a switch/router in order to maintain your internal LAN. Call this Zone 2. That should give you a basic diagram (when converted from words) of how the box both looks and interfaces between your provider and your internal network. Now you get to the real business, which is what the learning is all about, right? Zone 0. Should be set to acquire an IP address from the provider, i.e. setup for DHCP. It should also act as your 'master DNS relayer. What this means is that all your internal and DMZ machines will query this interface to do DNS resolutions. Zone 1. This should be setup with a static IP address. I recommend using something in the 10.0.0.X range for DMZ machines. This will handle all of the machines in your DMZ.
Zone 2. This should be setup with a static address (something in the 192.168.0.X range), further it should be setup to do DNS Relays for any machines in your LAN. It should also be setup to hand out DHCP for your internal LAN. From here you get to build your firewall rules using whichever flavor of implementation you choose. Key to the entire approach is this. As the Zone # increases you want more controls in place. This prohibits traffic flow. This is basically what a firewall does. Using this approach can be cumbersome unless you have some fundamental background in security concepts. However it gives you a great deal of flexibility and doesn't cost as much as a true hardware-based solution does.
my questions
1how do you configure routing within the 3 NIC or is it automatic ?
2 there is DHCP configuration in zone 0 and zone 2, wont there be conflict ?
any other observations ?
sose
Network Engineer
analysethis.co/index.php/forum/index
15 years 6 months ago #30332
by KiLLaBeE
Replied by KiLLaBeE on topic Re: constructing a DMZ
1. I don't know if it's automatic on IPCop, but on 2003 Server it is, after you enable the Routing and Remote Access service. The service detects the multiple NICs with different IP addresses and it updates its routing table.
2. No DHCP conflicts. You're binding two separate DHCP services/daemons to the NICs.
You're binding the DHCP Server service/dhcpd daemon to the NIC on Zone 2, essentially telling the NIC to provide clients with the DHCP service (i.e.: to give out IP addresses). The NIC has its own static IP address.
You're binding the DHCP Client service/dhcpc daemon to the NIC on Zone 0, telling the NIC to request DHCP service (i.e.: request an IP address for itself, but not offer IP addresses for any clients).
2. No DHCP conflicts. You're binding two separate DHCP services/daemons to the NICs.
You're binding the DHCP Server service/dhcpd daemon to the NIC on Zone 2, essentially telling the NIC to provide clients with the DHCP service (i.e.: to give out IP addresses). The NIC has its own static IP address.
You're binding the DHCP Client service/dhcpc daemon to the NIC on Zone 0, telling the NIC to request DHCP service (i.e.: request an IP address for itself, but not offer IP addresses for any clients).
15 years 6 months ago #30340
by sose
sose
Network Engineer
analysethis.co/index.php/forum/index
Replied by sose on topic Re: constructing a DMZ
yeah
now I got the technique
now I got the technique
sose
Network Engineer
analysethis.co/index.php/forum/index
15 years 6 months ago #30341
by sose
sose
Network Engineer
analysethis.co/index.php/forum/index
Replied by sose on topic Re: constructing a DMZ
also , if routing will be automatic in 2003 server, it is highly unlikely that people will use 2003 server to form a dmz
sose
Network Engineer
analysethis.co/index.php/forum/index
15 years 6 months ago #30344
by KiLLaBeE
Replied by KiLLaBeE on topic Re: constructing a DMZ
True, you could say that. In addition to setting up the routing with RRAS, you'd also have to setup the Zone 0 and Zone 1 NICs with firewall settings such as packet filtering options so you can accept/deny certain packets in/out of the interfaces. So there is no explicit setting for setting up a NIC as a DMZ NIC.
Time to create page: 0.134 seconds