SP-016: DMZ Module
Legend: Classic dual homed DMZ pattern, for internal and external services via a hardened, locked down, bastion host with reduced attack surface that runs only essential services.
Description: Dual firewalls, external firewall is connected to the untrusted or public network, internal firewall is connected to the trusted or private network. Firewalls are configured for minimal services, with the external firewall specific configured for only the IP addresses and protocols that are required for each specific service, for example IP 188.8.131.52 PORT 80, 443. The internal firewall may allow access to ranges of addresses for a wider set of prootocol. IP addresses for the internal network should be RFC1918 private address, that is not publically routable on the internet. Consider using different firewall vendors for the external and internal firewalls depending on risk appetite. Monitoring and configuration services should be accessed by seperate network connection or VLAN and should not be accessible from the external interface(s). If you do not want to run a seperate monitoring and configuration network then bind services to the internal interfaces only. Secure DNS services should be provided within the DMZ to prevent spoofing. Use static IP addresses for servers. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, e.g. a (reverse) proxy server, and all other services are removed. Typical servers in the DMZ are webservers, emailservers, dns servers, proxy and reverse proxy servers.
Assumptions: 1) Encryption should be used for sensitive traffic, it may be necessary to break the session at the gateway (bastion host) to inspect traffic depending on content monitoring requirements. 2) The internet is a bad place and you need to protect your trusted computing environment from it!
Typical challenges: Skilled firewall administrators to ensure that firewall rules do not have errors that create holes. Skilled security and server engineers to implement and maintain hardened build for gateways.
Remodel an existing environment rather than building up an environment from scratch. To remodel the following approach is recommended:
- Isolate in the DMZ those services that have an "intermediate" role, such as web frontends, antivirus-servers, content inspection servers, SSL VPN portals, Captive portals, etc.
- Plan traffic rules on the firewall layer to route only the a very restricted set of services, especially concerning the traffic from the DMZ to the internal network and from the internet to the DMZ. Make sure, that there is absolutely NO direct traffic from the internal network to the internet
- Optionally add intrusion prevention systems in mainly two strategic points: in front of server networks, to ensure in depth defense and isolation of the sensitive data. As well as between internal network and DMZ, to contain propagation of worms and fast spreading zero day attacks throughout the network and on the Net.
Indications: Organisation with secure computing environment that connects to untrusted networks.
Contra-indications: Single user environment e.g. Home user.
Resistance against threats: Denial of Service, Network based attacks.
- Link to RFC 1918.
- Link to Server Hardening guide.
- Link to Firewall admin.
- NIST Guide on Firewalls
- DMZ (Computing) on Wikipedia
- Designing a DMZ provided in the SANS reading room
Related patterns: TBD
Authors: Russell Wing, Tobias Christen
Reviewer(s) Marco Rottigni
AC-04 Information Flow Enforcement
AC-06 Least Privilege
AC-07 Unsuccessful Login Attempts
AC-12 Session Termination
AU-02 Auditable Events
AU-03 Content Of Audit Records
AU-04 Audit Storage Capacity
AU-05 Response To Audit Processing Failures
AU-06 Audit Monitoring, Analysis, And Reporting
AU-07 Audit Reduction And Report Generation
AU-08 Time Stamps
AU-09 Protection Of Audit Information
AU-11 Audit Record Retention
CA-03 Information System Connections
CA-04 Security Certification
CA-05 Plan Of Action And Milestones
CM-07 Least Functionality
RA-05 Vulnerability Scanning
SC-05 Denial Of Service Protection
SC-10 Network Disconnect
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
SC-22 Architecture And Provisioning For Name / Address Resolution Service
SC-23 Session Authenticity
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques
SI-05 Security Alerts And Advisories
SI-06 Security Functionality Verification
SI-07 Software And Information Integrity
SI-08 Spam Protection