topic Re: Approaches for DMZ with public IP addresses in Network Security

Approaches for DMZ with public IP addresses

mahoneave — Mon, 11 Mar 2019 19:27:35 GMT

Hi,

I'm looking for feedback on best-practices approach to create a DMZ with public IP addresses. It seems there are two options:

1.Have the ISP subnet the address block and assign one of these subnets to the DMZ. From that point forward it is simply a matter of routing and assigning the DMZ and public interfaces in to zones with appropriate policies applied.
2.Use BVI to bridge between the internet zone and the DMZ zone. This will allow the ISP address block to be bridged accross two interfaces. The bridged interfaces can be assigned to the public and DMZ zones with appropriate policies applied.

I'm wondering if there are pros/cons to approach number 2, since I do not have experience with this approach in a production environment. But more generally, I am looking for common/best-practices approache(s) to creating a DMZ with public ip addresses.

Thanks!

Re: Approaches for DMZ with public IP addresses

jgraafmans — Sat, 25 Dec 2010 00:05:38 GMT

If you bridge the interface to the DMZ with the interface connecting to the internet your router bridges packets instead of routing them and therefore layer 3 security won't be applied to this traffic.

You can also use private IP addresses in your DMZ and use static NAT rules to make them accessible from the internet.

Re: Approaches for DMZ with public IP addresses

mahoneave — Sat, 25 Dec 2010 00:57:12 GMT

Unfortunatley, NATing is not an option for this application. The devices in the DMZ must be addressed with non-NATed public IP addresses.

My understanding of zone-based firewall is that upper-layer inspection is possible between the interfaces that make up the bridge group. Is this incorrect?

Thanks!

Re: Approaches for DMZ with public IP addresses

jgraafmans — Sat, 25 Dec 2010 01:10:05 GMT

Sorry you're right it is indeed possible to configure IOS as a transparent firewall: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_trans.html#wp1052681

If possible I would still prefer having a /30 subnet to the ISP and another subnet on the DMZ. This makes it easier to configure and troubleshoot

Re: Approaches for DMZ with public IP addresses

manasjai — Sat, 25 Dec 2010 03:07:17 GMT

Hi,

As of now you cannot bridge two interfaces of ASA for them to be in the same subnet.

If you use firewall in transparent mode then security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.Further, in single context mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.

With transparent firewall mode, Each directly connected network must be on the same subnet.

Considering all these things, we can split the IP block provided by the ISP into 2. We can then assign one subnet to the DMZ and the other one to the outside. Your inside n/w remains untouched!

Hope this helps!!

Cheers,

Manasi

Re: Approaches for DMZ with public IP addresses

manasjai — Sat, 25 Dec 2010 03:09:58 GMT

Also, I am not sure if we are taking about an ASA here or a router with Zone based firewall configured.

The above explanation is for ASA device.

Thanks,

Manasi

Re: Approaches for DMZ with public IP addresses

mahoneave — Sat, 25 Dec 2010 22:06:54 GMT

Manasi,

Thanks. Yes I was referring to IOS firewall functionality I suppose. The following link indicates that more than two interfaces can be configured when a birdged/transparent firewall is configured on an IOS zone-pair firewall. I'm suprised that an ASA cannot do the same.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#req

So is splitting the ISP address block the common approach. The downside of this is that I would burn two additional IPs out of my block, and I'd also have to participate in routing with my ISP. Is it possible to simply have a privately addressed connection to my perimeter device, i.e. 10.10.10.0/30, then I could manage the routes between the subnetted public IP block?

Again, I'm mainly interested in common/typical approaches to creating publicly addressed DMZs. What does the crowd say?

Re: Approaches for DMZ with public IP addresses

manasjai — Sun, 26 Dec 2010 04:09:27 GMT

ASA would be getting similar functionality in later versions.

Well since we are talking about IOS firewall here, yes we can do bridging.

But if you talk about the crowd, I have generally seen them spliting the IP block!!

Cheers,

Manasi!