Server in DMZ: security concerns



  • Hey guys,

    I'm not sure if this forum is the right place to ask the following question. However, as I think your community is also concerned about network security (and given the fact that one major part of the problem/solution is a pfSense enabled machine) I hope you can nonetheless help me.

    The network that I have to setup is outlined by the following diagram:

    
                                           ┌─────> WLAN
              ┌─────────╮                  │
    WAN <─────┤ pfSense ├───── BRIDGE ─────┤
              └────┬────╯                  │
                   │                       └─────> LAN <─────╮
                   │                                         │
                   │                                         │
                   │                                ┌────────┴────────╮
                   │                                │     Server      │
                   │                                ├─────┬─────┬─────┤
                   │                                │ VM0 │ VM1 │ VM2 │
                   │                                └─────┴──┬──┴─────╯
                   │                                         │
                   │                                         │
                   └─────> DMZ <─────────────────────────────╯
    
    

    The idea behind this topology is to have two separate NICs connecting the server to both, the LAN and the DMZ. The gain in security I hoped to find was not to provide possible intruders with a possibility to capture the server through its management port (SSH), but rather administer the server through its "backdoor". Therefore, the virtual machines running all the services should be the only ones making use of the DMZ sided port in order to offer their services to the outside world. The same way, the host system should be the only one communicating through the LAN sided port with the administrator.

    My major concern is about the linkage between the LAN and the DMZ through the server. Does this approach improve or deteriorate the security of the network? (If I'm right the server could be used to bypass the access restrictions from WAN to LAN imposed by the router…) Do you have other ideas improving this network's security?

    Thanks in advance for any support provided!



  • @Inperpetuammemoriam:

    Hey guys,Therefore, the virtual machines running all the services should be the only ones making use of the DMZ sided port in order to offer their services to the outside world.

    Do you mean you are only exposing non-management services on the DMZ, such as a web server, and the SSH ports are only open to the LAN?



  • @Inperpetuammemoriam

    In normal it would be not and never really gaining up your security or the security of your
    entire network as I see it right. It is more that you will bypass your DMZ that becomes more then
    nonsenses from the security point of view in my eyes.

    • Connect to the pfSense a DMZ and a LAN Switch
    • Place the entire server connected to the web in a real DMZ
    • Let the DMZ servers only connect to the Internet through Squid onto the pfSense
    • Connect the servers through the IPMI port or over KVM switches placed in VLAN1 (default)
    • Set up a DMZ and LAN radius server that only you will be able to secure connect to the servers
    • Set up snort sensors and servers to gain more security inside of your network

    The idea behind this topology is to have two separate NICs connecting the server to both, the LAN and the DMZ.

    Really bad idea as I see it right and only a alibi question here in the forum.

    The gain in security I hoped to find was not to provide possible intruders with a possibility to capture the server

    The is no security gain in this model!

    but rather administer the server through its "backdoor".

    It would be more a backdoor for the entire LAN.

    There are many things that can be done for sure but the model like you want to set up
    it is more harming the entire network. Where should be the problem to set up the server
    with the VMs inside of a real DMZ? From the LAN you could then also connect the servers.



  • @SisterOfMercy:

    @SisterOfMercy:

    @Inperpetuammemoriam:

    Hey guys,Therefore, the virtual machines running all the services should be the only ones making use of the DMZ sided port in order to offer their services to the outside world.

    Do you mean you are only exposing non-management services on the DMZ, such as a web server, and the SSH ports are only open to the LAN?

    Yes, that would (have) be(en) the idea.

    @BlueKobold:

    @BlueKobold:

    • Connect to the pfSense a DMZ and a LAN Switch
    • Place the entire server connected to the web in a real DMZ

    Ok, so the better way would be to completely isolate the Server within the DMZ from the LAN.

    @BlueKobold:

    • Let the DMZ servers only connect to the Internet through Squid onto the pfSense

    I never used squid before but from what I read about it (squid-cache.org), the main feature is a performance gain rather than a security gain. Did I miss something?

    @BlueKobold:

    • Connect the servers through the IPMI port or over KVM switches placed in VLAN1 (default)

    I'm not using the IPMI port. It could have been useful to be able to remotely manage the server even before the OS has booted but from what I read about it I think there comes a much bigger security loss than a gain in usability with it. The risk of someone implanting low level spy/malware (which is really hard to detect) outweighs the benefits by far.

    @BlueKobold:

    • Set up a DMZ and LAN radius server that only you will be able to secure connect to the servers

    I also never used a radius server before but wouldn't this be like taking a sledgehammer to crack a nut? From what I read, I assume there comes a big configurational and computational overhead with it but little to no gain in protection from the WAN side. Wouldn't it be better to just be very restrictive in the firewall configuration concerning traffic intended for the DMZ? (e.g. allowing the SSH access only from the LAN side and restricting WAN access to the few required ports)

    @BlueKobold:

    • Set up snort sensors and servers to gain more security inside of your network

    Snort is already running. ;-) However, even with a not so conservative configuration I had to suppress a few alerts otherwise the internet experience would have been drastically reduced. Is this normal?


Log in to reply