5.2 Demilitarized Zones
5.2.4 DMZ Facts
This lesson covers the following topics: > Demilitarized zone (DMZ) > DMZ terms
Screened Subnet
Uses two firewalls. The external firewall is connected to the internet and allows access to public resources. The internal firewall connected the screened subnet to the private network. With a screened subnet, if the outer firewall is compromised, the inner firewall still protect the private network.
As you study this section, answer the following questions:
> How is a honeypot used to increase network security? > How is a gateway different from a router? > What is the typical configuration for a DMZ configured as a dual-homed gateway? > A screened subnet uses two firewalls. What is the function of each firewall? > What type of computer might exist inside a demilitarized zone (DMZ)? > What makes bastion hosts vulnerable to attack? How can you harden bastion hosts? In this section, you will learn to: > Configure a DMZ.
Screened subnet
A subnet protected by two firewalls; an external firewall is connected to the internet and an internal firewall is connected to a private network.
Bastion or sacrificial host
Any host that is exposed to attack and has been hardened or fortified against attack.
Screen-host gateway
Resides within the DMZ, requiring users to authenticate in order to access resources within the DMZ or the intranet.
Screening router
The router that is most external to the network and closest to the internet.
Be aware of the following DMZ facts:
> If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. > Packet filters on the firewall allow traffic directed to the public resources inside the DMZ. Packet filters also prevent unauthorized traffic from reaching the private network. > When designing the firewall packet filters, a common practice is to close all ports. Open only those port necessary for accessing the public resources inside the DMZ. > To allow access to private resources from the internet, use one of the following approaches: - Place a VPN server inside the the DMZ. Require internet users to authenticate to the VPN server and then allow communications from the VPN server to the private network. Only communications coming through the VPN server are allowed through the inner firewall. - Copy resources that are accessible to internet users to servers inside the DMZ. Even with authentication and authorization configured, this approach exposes those resources in the DMZ to internet attacks. > Typically, firewalls allow traffic originating in the secured internal network into the DMZ and through to the internet. Traffic that originates in the DMZ (low-security area) or the internet (no-security area) should not be allowed access to the intranet (high-security area). *Only place servers in the DMZ that need to be there.
Demilitarized Zone (DMZ)
A DMZ is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet). A DMZ typically contains publicly accessible resources, such as web, FTP, or email servers. Creating a DMZ is part of a layered security approach.
Bastion or Sacrificial Host
A bastion host is any host that is exposed to attack and that has been hardened (or fortified) against those attacks. The bastion host is sometimes referred to as a sacrificial host because it is assumed that it will be subject to attack. The term has been applied to the following types of devices: > A host that is exposed on the network and is not protected by a firewall device. > The device that provide the firewall service to the screened network behind it. Attacks must pass through the bastion host before they are allowed inside the screened subnet. The following actions should be taken to harden a bastion host: > Separate roles of bastion hosts by placing a single application on each server. > Fully patch your bastion host on the operating system and on applications. > Run current versions of antivirus and anti-spyware software. > Include a personal firewall. > Uninstall any unnecessary applications or utilities. > Disable and lock down all unnecessary services and ports. > Tighten security on the registry and the user database. > Add IP filters. > Run lockdown facilities, such as IIS lock down and URLScan.
Demilitarized zone (DMZ)
A buffer network (or subnet) that is located between a private network and an untrusted network, such as the internet.
Screened host gateway
A device residing within the DMZ that requires users to authenticate in order to access resources within the DMZ or the intranet.
Duel-homed gateway
A firewall device that typically has three network interfaces. One interface connects to the internet, one interface connects to the public subnet, and one interface connects to the private network.
Dual-homed gateway
A firewall device that typically has three network interfaces: One connected to the internet, one connected to the public subnet, and one connected to the private network. Gateways have to be logged on to, whereas routers pass traffic through without user authentication. IP forwarding is disabled on gateways, effectively blocking through traffic to the network.
Screening Router
The router that is most external to your network and closest to the internet. It uses access controls lists (ACLs) to filter packets as a form of security. A firewall performing router functions is considered a screening router.
5.2.3 Configure a DMZ
You are the IT administrator for a small corporate network. You want to make a web server that runs services accessible from the internet. To help protect your company, you want to place this server and other devices in a demilitarized zone (DMZ). This DMZ and server need to be protected by the pfSense Security Gateway Appliance (pfSense). Since a few of the other devices in the DMZ require an IP address, you have also decided to enable DHCP on the DMZ network. In this lab, your task is to perform the following: > Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) > Add a new pfSense interface that can be used for the DMZ. - Name the interface DMZ. - Use a static IPv4 address of 172.16.1.1/16 > Add a firewall rule for the DMZ interface that allows all traffic from the DMZ. - Use a description of Allow DMZ to any rule > Configure and enable the DHCP server for the DMZ interface. - Use a range of 172.16.1.100 to 172.16.1.200 Explanation Complete this lab as follows: 1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c.Select SIGN IN or press Enter. 2. Configure an interface for the DMZ. a. From the pfSense menu bar, select Interfaces > Assignments. b. Select Add. c. Select OPT1. d. Select Enable interface. e. Change the Description field to DMZ. f. Under General Configuration, use the IPv4 Configuration Type drop-down menu to select Static IPv4. g. Under Static IPv4 Configuration, in the IPv4 Address field, enter 172.16.1.1. h. Use the subnet mask drop-down menu to select 16. i. Select Save. j. Select Apply Changes. k. (Optional) Verify the change as follows: - From the menu bar, select pfsense COMMUNITY EDITION. - Under Interfaces, verify that the DMZ is shown with the correct IP address. 3. Add a firewall rule to the DMZ interface. a. From the pfSense menu bar, select Firewall > Rules. b. Under the Firewall breadcrumb, select DMZ. (Notice that no rules have been created.) c. Under the Firewall breadcrumb, select LAN. d. Under the Actions column, select the copy icon (two files) for the rule with a source of LAN net. e. For the Action field, make sure Pass is selected. f. Using the drop-down menu for the Interface field, select DMZ. g. Under Source, use the drop-down menu to select DMZ net. h. Under Destination, make sure it is configured for any. i. Under Extra Options, change the description to Allow DMZ to any rule. j. Scroll to the bottom and select Save. k. Select Apply Changes. 4. Configure pfSense's DHCP server for the DMZ interface. a. From the menu bar, select Services > DHCP Server. b. Under the Services breadcrumb, select DMZ. c. Select Enable. d. Configure the Range field as follows: - From: 172.16.1.100 - To: 172.16.1.200 e. Scroll to the bottom and select Save.