Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10719
Views
0
Helpful
7
Replies

DMZ's best practice

Go to solution
Walaa Elden Rabie Elabbasy
Level 1
Level 1

‎10-16-2011 11:21 PM - edited ‎03-11-2019 02:38 PM

we are planning to use multiple DMZ's in our organization, we are using cisco asa 5585, what is the advantage and disadvantage for using multiple DMZ's?. and which better to use one or two DMZ's or split every service in different DMZ ?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hobbe
Level 7
Level 7
In response to Walaa Elden Rabie Elabbasy

‎10-17-2011 02:06 AM

Hi

If you have two identical machines doing the same thing, The best thing security wise would be to separate them on different networks, BUT most likely I would not do that.

Why ?

The administrational cost of separating each and every server compared to the benefits of separating them is something that to be under consideration.

If you fx have two servers that are both the same version of IIS and Windows 2008 server and they are hardened in the same way.

They both will be vulnerable for the same software bugs if they are updated at the same time.

They will however not be equally vunerable for other things like missconfigurations and bad passwords.

IF in one of them someone forgot to remove the sample scripts or did not turn off the Print service or left it unpatched, then that is a difference in how they are setup and could make one vunerable for fx a poorly constructed password while the other is not.

Now do the math on how much effort it will take you to do a change for two servers on different network, not much difference than if they where in the same network, right ?  But if you separate a pool of 200 identical webservers, the administration easily becomes overburdening while the security does not go up enough to warrant that extra cost in administration. then you can do some thing in the switch to have them all in the same DMZ if the servers do not need to know of eachother, by using something in the switch that used to be called Private vlan Edge and is now called "protected ports" ie the computers on the same switch are not allowed to speak to each other.

Mark though that this is only valid in a single switch and will not work over multiple switches.

Then you can configure it as one DMZ but still "get" the "security" of several dmz.

but as always, IF the agressor gets a foothold in the machine, takes a big stick and start whacking the switch, all bets are off.

against that type of agressor only many physical ports works.

Good luck

HTH

View solution in original post

0 Helpful
7 Replies 7

Go to solution
varrao
Level 10
Level 10

‎10-16-2011 11:27 PM

Hi Walaa,

There are no as such best practices in creating a DMZ, it is just a zone used on ASA with security level greater than outside and less than inside. You can have all your servers on the DMZ or create different interfaces for each server if you have spare interfaces. Whats more important is how you do the natting and the access-rules, so that all these servers are accessible from outisde and from your internal lan. DMZ is just a reference nothing more special.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Walaa Elden Rabie Elabbasy
Level 1
Level 1
In response to varrao

‎10-16-2011 11:50 PM

Hi Varun,

Thanks for your valuable information, regarding natting and access-rules that is exactly why i need to decide to use one or more DMZ, let me tell you what I’m thinking about the design.

let say i have one big DMZ holding all web-tier and application servers. this will simple design and easy for natting and access-rules to handle, but what will happen if one server is compromised or infected with Malware this will outbreak all other servers.

If I’m going to split it in multiple DMZ's, sure this will complex the natting and access-rules, but now I’m isolating the service from each other and i have more control for the traffic passing through.

I appreciate if you sharing your experience in this also if you can give me references ( URL's)

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Walaa Elden Rabie Elabbasy

‎10-17-2011 12:11 AM

Hi Walaa,

Yes, your analysis is right. You can easily very well keep the servers in different DMZ's to avoid any malware attack.

You can very well allow access to all these servers on the DMZ from outside as well as from your inside lan.

Here are a few documents for it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Video:

https://supportforums.cisco.com/docs/DOC-17347

https://supportforums.cisco.com/docs/DOC-1494

If you have any questions do let me know.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
hobbe
Level 7
Level 7

‎10-17-2011 12:02 AM

Well this is my point of view.

The less computers you have on each DMZ the better,

The more you can divide the network into the same services/applications the better.

If you have fx 4 webservers  2 apache and 2 IIS and 1 FTP 1 SMTP and 2 DNS servers..

I would like to put the two apache on one DMZ the 2 IIS on one DMZ the FTP in one the SMTP in one and the 2 DNS servers in one.

This limits the impact incase of an attack. "IF/When" the agressor is able to take control of the server they will only see what that server sees and have gained little towards taking over all of them.

There is no point in separating each server with the same applications and setup since the same bug that works on one will work on the next also.

IF you would have the above mentioned setup, if the agressor attacked and was successful in gaining access on fx a FTP server, then they would have gained little towards gaining access to the other servers since the ftp is on its own network and have no rights to the other networks.

IF on the other hand the FTP would have been on the same DMZ as the other servers the agressor would have gained alot of leverage towards gaining access to the other servers, they would be behind the firewall and able to attack the servers from the local lan, they would be able to see and use the LAN and gain access to alot more services than from the outside world.

when an agressor takes over a server they will se whatever that server can see, they will know everything that the server knows and they will have all the rights and privileges that that server has.

Using VLANs is one approach but if the agressors gain access to a server, they can attack the switched network and make it do things it is not supposed to do.

This is why I like to have loads of physical ports instead of a few that makes use of VLANS.

good luck

HTH

0 Helpful

Go to solution
Walaa Elden Rabie Elabbasy
Level 1
Level 1
In response to hobbe

‎10-17-2011 12:34 AM

Hi Hobbe,

Realy HTH,

So, your point of view as the same of mine, but let me clarify one more thing.

If fx i have 2 different services using the same OS ( Sun Solaris 10) and same application ( Oracle web center). if the attacker gain access to one of them, it will be easy to get access to the other in the same way even if it is in differenet DMZ. wirte ?

0 Helpful

Go to solution
hobbe
Level 7
Level 7
In response to Walaa Elden Rabie Elabbasy

‎10-17-2011 02:06 AM

Hi

If you have two identical machines doing the same thing, The best thing security wise would be to separate them on different networks, BUT most likely I would not do that.

Why ?

The administrational cost of separating each and every server compared to the benefits of separating them is something that to be under consideration.

If you fx have two servers that are both the same version of IIS and Windows 2008 server and they are hardened in the same way.

They both will be vulnerable for the same software bugs if they are updated at the same time.

They will however not be equally vunerable for other things like missconfigurations and bad passwords.

IF in one of them someone forgot to remove the sample scripts or did not turn off the Print service or left it unpatched, then that is a difference in how they are setup and could make one vunerable for fx a poorly constructed password while the other is not.

Now do the math on how much effort it will take you to do a change for two servers on different network, not much difference than if they where in the same network, right ?  But if you separate a pool of 200 identical webservers, the administration easily becomes overburdening while the security does not go up enough to warrant that extra cost in administration. then you can do some thing in the switch to have them all in the same DMZ if the servers do not need to know of eachother, by using something in the switch that used to be called Private vlan Edge and is now called "protected ports" ie the computers on the same switch are not allowed to speak to each other.

Mark though that this is only valid in a single switch and will not work over multiple switches.

Then you can configure it as one DMZ but still "get" the "security" of several dmz.

but as always, IF the agressor gets a foothold in the machine, takes a big stick and start whacking the switch, all bets are off.

against that type of agressor only many physical ports works.

Good luck

HTH

0 Helpful

Go to solution
Walaa Elden Rabie Elabbasy
Level 1
Level 1
In response to hobbe

‎10-22-2011 12:06 AM

Hi Hobbe,

sorry for late,

I'm going to the same result, with combining between the benefit of using DMZ's and PVLAN's.

I really appreciate your answers and explanations. It is very helpful.

Also i found a very good Doc. that can help to complies PVLAN's

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

thanks all

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card