You are right on target with your approach - bridging vlans between "trusted" (internal), "untrusted" (external), and "semi-trusted" (dmz) eliminates much of the security posture gained from segmenting services for public and internal use. NAT is not a substitute or patch for the design flaw of multi-homing the devices between the segments, as address translation will not provide a security control for ports publicized to the external world (i.e. http over port 80).
Another design issue is the lack of physical separation between the various network segments. Logical separation via layer 2 vlans/layer 3 ip addressing is a start, but there are documented attacks involving "vlan hopping", etc. which may pose a threat to the environment even with the isolation of the public services to the dmz. Physically separating the external and dmz vlan's on an independent switch, and placing the internal vlan on its own switch(es) would be a much better design. This separates the internal trusted segment from the external semi-trusted and untrusted segments, resolving technical flaws as well as reducing the chance of human error (i.e. placing an internal server in the external vlan by mistake, misconfiguration of the vlan implementation, etc.). Your consultants may be good at server based implementation (an assumption), but not so good at network design (very apparent). Chris Smith -----Original Message----- From: Frederick Garbrecht [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 10:13 AM To: Security-Basics@Securityfocus. Com Subject: Whats wrong with this topology? I've inherited a small corporate WinNT4.0 lan that I am reconfiguring to remove some of the obvious security flaws in its structure. I would like to elicit any comments or suggestions regarding reconfiguring the architecuture. On paper, the lan has been setup as a classical firewalled lan with 3 zones: external, dmz, and internal. |T1 | Router | Firewall________S_____vlan1[external] | |_________w |_____________i_____vlan2[dmz=mail,dns,http] t | c_____vlan3[internal] h The funny thing about the setup is that the servers residing in the dmz are all dual-homed machines with 1 adapter set to use a dmz segment address [192.168.1.0/24] and the other adapter uses an internal segment address [192.168.2.0/24]. The dmz addresses are NAT'd at the firewall to public address in our class C assignment. This arrangement strikes me as crazy; even though routing between interfaces on the dmz machines is disabled, it seems that it would be trivial to compromise the internal lan if an intruder were to breach the dmz. Furthermore, some essential services (like file/print, domain controllers) reside on the dmz/vlan3 boxes, which also strikes me as major league stupidity for essentially the same reason. Essentially to me it seems that the actual architecuture functions only as a 2 region system (hostile internet vs. not very secure internal lan) because of the fuzziness resulting from misconfiguration of the dmz. Basically, since I'm not an expert on this stuff (yet), I would like some confirmation of my feeling that this setup is basically very insecure so that I can garner up the requisite courage to fight with the consultants who set it up this way in the first place and the management who hired them. I have a pretty good idea of how to correct things, such as making the dual homed dmz machines single homed and moving all of the 'private' services like the domain controllers, file storage, etc. to machines strictly located within the internal vlan. Happy to provide additional details, clarifications; Comments welcome! Thanks, Fred
