A demilitarized zone (DMZ), or screened subnet, protects your private network from attacks coming from the Internet. It consists of two firewalls: the outer firewall screens traffic coming from the Internet, while the inner firewall controls the traffic that is allowed inside the private network. Following are some guidelines for designing your DMZ.
- Put publicly accessible services (such as Web and FTP servers) inside the DMZ.
- Use firewall filters to control traffic allowed inside or out of the DMZ.
- Restrict all traffic except what is required to communicate with services inside the DMZ.
- On the outer firewall, allow traffic directed to the public servers (HTTP, FTP, e-mail).
- Use a VPN server to secure traffic directed to the private network. Allow VPN traffic in the outer firewall.
- Never allow traffic inside the outer firewall that claims it is coming from the private network.
- On the inner firewall, allow common Web traffic out.
As you design the firewall settings, you need to carefully consider all necessary traffic and allow the minimum amount of traffic through each firewall. For example, the following graphic shows how firewall settings allow DNS traffic through both the inner and outer firewalls.
Given this design, Internet hosts are allowed to request DNS from the public DNS server. The internal DNS server is also configured to forward requests to the public DNS server inside the DMZ. Packet filters must allow DNS traffic to get to the public DNS server. However, DNS requests from the Internet should not be allowed to pass through the inner firewall to the private DNS server.
Sometimes servers in DMZ need to communicate with servers on the internal network. In this example, a Web server retrieves data from a SQL server to retrieve customer and order data. Notice that the SQL server is protected inside the private network, it is not placed in the DMZ.
To design the necessary firewalls for this example, allow HTTP and HTTPS traffic in the outer firewall. Then allow only SQL traffic coming from the Web server to pass through the inner firewall (do not allow all SQL traffic in the inner firewall).
NAT and Router Design Guidelines
You should know the following facts about NAT design:
- Use the following address ranges for internal private IP addresses:
- 10.0.0.0 /8
- 172.16.0.0 /12
- 192.168.0.0 /16
- 169.254.4.4 (Comes from APIPA)
- NAT supports only IP. It cannot perform address translation for the following:
- SNMP (Simple Network Management Protocol)
- LDAP (Lightweight Directory Access Protocol)
- COM (Component Object Model)
- DCOM (Distributed Component Object Model)
- Kerberos version 5
- RPC (Microsoft Remote Procedure Call)
- Domain controllers cannot replicate through a NAT server. This is because Active Directory uses Kerberos version 5.
- Windows Server 2003 supports L2TP/IPSec VPN connections with NAT.
- To redirect external requests for internal resources (a Web server, for example), you can use address mapping or port mapping.
- With address mapping, you associate a registered IP address with a specific private IP address.
- With port mapping, you redirect traffic sent to specific ports (such as port 80 for HTTP) to a specific IP address.
You should know the following facts about router placement:
- Routers do not pass broadcasts by default. You can reduce broadcast traffic by breaking up the network into smaller pieces with routers.
- Routers can be used to subnet a network.
- Routers can be used to create a secure, internal network.
- Configure packet filters on routers to allow or deny specific types of network traffic.
· Internet Connectivity Solutions
· Use the following table as a guide to selecting an Internet connection method.
| Select... | To meet these requirements... |
| Routing | Small to large networks All hosts must be able to respond to Internet-initiated requests Maximum flexibility in network design and implementation All hosts that require Internet access are running TCP/IP |
| Internet Connection Sharing (ICS) | Small network (10 or fewer hosts) with a single subnet Automatic address assignment All hosts that require Internet access are running TCP/IP At least one Windows 2000/XP/2003 or Windows 98 system exists on the network (for the shared connection) You do not provide DHCP or DNS services on the private network |
| Network Address Translation (NAT) | Small- to medium-sized network (approximately 5000 hosts or less) Automatic address assignment Few hosts that need outside-initiated contact All hosts that require Internet access are running TCP/IP |
| Proxy server/Internet Security and Acceleration Server (ISA) | Small to large networks Hosts that require Internet access are running a variety of protocols The ability to restrict Internet access or contact by user or site Caching of Internet or Web server content |
No comments:
Post a Comment