• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Future of DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> Future of DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Future of DMZ - 19.Nov.2009 12:20:35 AM   
Mystic

 

Posts: 9
Joined: 19.Nov.2009
Status: offline
I would like everyone's opinion on the future of the DMZ. When I was at the CIO summit at Microsoft, I asked a question about Microsoft's stance on the DMZ and the speaker replied, "What DMZ?". This leads me to believe Microsoft feels comfortable putting an an array of dual-homed ISA firewalls that separates the Internet from the internal network.

Is that the future though? Less and less MSFT products are being supported within the DMZ (Exchange 2007 CAS servers are one) so I am not sure if the model I list below is going the way of the dinosaur.

INTERNET->FIREWALL->DMZ->FIREWALL->INTERNAL

I would like to understand:

a) Are DMZ's really needed anymore now that we have advanced application firewalls like ISA/TMG?
b) Are the risks any more terrifying with a pair of ISA servers vs. the expensive alternative of multiple firewalls, a separate IP subnet and multiple sets of firewall rules?

I know everything is relative depending on risk tolerances but I would like hear some professional opinions.

Thank you.

--Paul
Post #: 1
RE: Future of DMZ - 20.Nov.2009 2:52:40 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I would like everyone's opinion on the future of the DMZ. When I was at the CIO summit at Microsoft, I asked a question about Microsoft's stance on the DMZ and the speaker replied, "What DMZ?". This leads me to believe Microsoft feels comfortable putting an an array of dual-homed ISA firewalls that separates the Internet from the internal network.

Feels comfortable???  That is what it was designed for!
One of the largest IT Systems in the world belongs to MS,...the System with the biggest brightest Bullseye painted on it is MS,...the largest Firewall Array in the world is the one at MS,...they protect their own network with their own product. I don't know if they used a DMZ or not,...but if they say they didn't,...I believe them

Is that the future though? Less and less MSFT products are being supported within the DMZ (Exchange 2007 CAS servers are one) so I am not sure if the model I list below is going the way of

The future??  Try the Past, Present, and Future.  I've been in the business for 10 years and never ran an DMZ,...don't believe in them,....not "sold" on them,...never have been.  When I started it was MS Proxy Server v2,....like the product or not, think what you want of the old product,... but it was never broken into.

a) Are DMZ's really needed anymore now that we have advanced application firewalls like ISA/TMG?

No they aren't needed,...and never were.  The need for them was superstition and  "I.T. religion" more than anything else as far as I am concerned.

b) Are the risks any more terrifying with a pair of ISA servers vs. the expensive alternative of multiple firewalls, a separate IP subnet and multiple sets of firewall rules?

Expensive alternate?  ISA cost just as much for the additional purchase. Factor in the hardware cost for a good quality server and you'll spend over $10,000.00 for an ISA installation. Then look at the prices of the ISA Appliances,...they ain't cheap either.
IP Subnets and multip sets of rules?  Complexity does not equal security,...it may even mean the opposite,...more complex = more opportunity for mistakes.

It is also important to note that when the Secunia Reports came out, the ISA2006 had 2 vulnerabilities,...with the Cisco ASA had 6.   Both companies of course have them patched by now and both products sit at 0.

Secunia Reports
Microsoft ISA Server 2006 Supportability Update
http://secunia.com/advisories/product/26019/?task=advisories_2009
Cisco ASA/PIX
http://secunia.com/advisories/product/16163/?task=advisories

Will everyone agree with me??  No way,...in fact just watch,...it will probably start a big argument already.   But you asked for a professional opinion,...well I'm a professional,...and that was my opinion.

_____________________________

Phillip Windell

(in reply to Mystic)
Post #: 2
RE: Future of DMZ - 20.Nov.2009 4:47:09 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It won't surprise Phil to see my response here as I often play devils advocate to his opinions; that's what forums are all about...

Rather than re-hash old content, you can have a quick look at the post below which saves me some typing

http://forums.isaserver.org/m_2002092822/mpage_1/key_dmz/tm.htm#2002092855

An example quote:

"Finally, IMHO the DMZ still has some value as it allows you to separate assests that are Internet facing and those that aren't. Different trust levels should be isolated. Compromise of an Internet facing host is then less likely to impact systems that are not Internet facing. The only problem is that the line between DMZ and LAN is often very blurred (and getting worse) by application connectivity to other internal services. For me, the key is to inspect and classify data rather than worry so much about how it gets from A to B.

Having said that I still use ISA as a great way of creating a layer 7 DMZ, and much more useful than a layer 3 DMZ which is what more hardware firewalls provide. Layer 3 DMZs that provide no L7 protection is often what  people mean when they use the term "DMZ". It often depends on the protocols involved; for example if the DMZ=>Intranet traffic uses protocols like HTTP, RPC and SMTP, ISA has appliction layer filters that can add real value here as ISA can control both Internet=>DMZ traffic *and* DMZ=>Intarnet traffic both to a deep inspection level..."

As always with security, there is no "right" answer, just different opinions...

Sometimes DMZ's add value, sometimes not; it also depends on your definiton of DMZ really. I would tend to avoid the terms and instead talk about different security zones based upon risk.

Would I put ISA/TMG on the edge without a DMZ? Yes.

Would I use ISA/TMG to create isolated perimeter networks to protect/isolate certain server roles? Yes.

Actually, there is no reason why you can't do both at the same time 

Cheers

JJ

< Message edited by Jason Jones -- 20.Nov.2009 8:27:05 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 3
RE: Future of DMZ - 20.Nov.2009 5:35:10 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It won't surprise Phil to see my response here as I often play devils advocate to his opinions; that's what forums are all about...

...and you do a mighty fine job as a devil too,... Jason

Actually, I agree completely with that "example quote",...it depicts perfectly what I think about it when it is all said and done.   I just don't like to give the "DMZ only" people even an inch. I've met some (in person even) that think:

No DMZ = completely insecure network
...and if, on top of that,  you run ISA on the edge then you are just plain silly because MS can't possibly create a security product. 

It is like religion to them.

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 4
RE: Future of DMZ - 6.Jan.2010 9:02:20 AM   
pctech32605

 

Posts: 34
Joined: 26.Mar.2009
Status: offline
Most DMZ have so many holes punched in them to get to Db servers, etc that they are at best marginal.

Implementation examplesof DMZ has generally a port of a pix (or asa)(not really a dmz). It requires 2 firewalls not 1..and preferible 2 different type of firewalls.

IT folks need to also seperate and ACL what can be accessed from the DMZ better. How many people do that?

Microsoft products like sharepoint will change the DMZ to a more fluid product, but it will exist in some form. Microsoft will just rename it to something they like (the microsoft way).But its purpose is the same.

(in reply to pwindell)
Post #: 5
RE: Future of DMZ - 6.Jan.2010 10:21:27 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I agree completely.

Making a DMZ stronger is fine,...but I dont' run one at all,....don't need one.  A DMZ for me would provide no more additional security then what I already have without one.  I would gain nothing but needless excess complexity.

_____________________________

Phillip Windell

(in reply to pctech32605)
Post #: 6
RE: Future of DMZ - 6.Jan.2010 11:07:39 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
I hate the DMZ label...Most people mean a protected network segment....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pwindell)
Post #: 7
RE: Future of DMZ - 6.Jan.2010 11:25:17 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Yea,..it is an "old school" way of thinking.

I view things as "Your stuff is either properly configured & secure,...or it isn't".

Sometimes I may seem to be anti-security,..but I'm not. I'm just reacting to the other side of the coin that I see way too often.  I recently had to help out with a mess where someone (the contracted consultants) went "GPO crazy" and then they went "server hardening crazy" and just trashed the Active Directory domain beyond repair.

Giving some people (including some consultants) security tools is like giving Barney Fife a gun.  He will just blow his foot off with it unless you take away his bullets and just give him one bullet and make him keep it in his shirt pocket.

_____________________________

Phillip Windell

(in reply to SteveMoffat)
Post #: 8
RE: Future of DMZ - 18.Feb.2010 12:43:08 PM   
Mystic

 

Posts: 9
Joined: 19.Nov.2009
Status: offline
Thanks to everyone feedback on this.

I'm trying to make a decision whether I should build up a DMZ/Extranet portal and populate it with our corporate web server, SharePoint portal, OCS front-end and various other Microsoft technologies or simply install all of these applications on the internal network and use TMG in a Edge Firewall Design to reverse proxy inbound connections while performing stateful inspection. .

I just want to fully understand the "What if the firewall is compromised and a hacker has access to the internal network?" argument and how realistic that argument is given a properly configured ISA/TMG array.

(in reply to pwindell)
Post #: 9
RE: Future of DMZ - 18.Feb.2010 2:10:15 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Lose the DMZ misnomer....substitute protected network segment & you'll get your head round it...

Never should have been called a DMZ in the first place.



_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to Mystic)
Post #: 10
RE: Future of DMZ - 18.Feb.2010 2:20:35 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Never should have been called a DMZ in the first place.

Extranet and Portal are not much more useful than DMZ.  Just a bunch of "buzz words".

_____________________________

Phillip Windell

(in reply to SteveMoffat)
Post #: 11
RE: Future of DMZ - 18.Feb.2010 2:32:23 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Indeed.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pwindell)
Post #: 12
RE: Future of DMZ - 20.Jun.2011 10:23:38 AM   
pietergerritse

 

Posts: 12
Joined: 23.Oct.2008
Status: offline
Lets say: DMZ (or whatever you want to call it) is a segment where servers are not members of the internal AD

When implementing new services that must be internally and externally accessible I see two options:

1) place those servers, web/app/db in the internal server segment
and publish them with isa/uag
2) for some of those implementations, put the webserver (frontend) in the DMZ zone

Currently I have those two options in my network. But do I need these two options or does the DMZ idea have no future, do we go publishing all the way?

My gut feeling says, when you publish unauthenticated resources externally, like the public website, you should use option 2.

What are your thoughts? Any reasons why we need a DMZ?

(in reply to SteveMoffat)
Post #: 13
RE: Future of DMZ - 24.Jun.2011 9:00:23 AM   
pietergerritse

 

Posts: 12
Joined: 23.Oct.2008
Status: offline
I'm still hoping for some replies that give me more insight :)

For example:
imagine the corporate public website, 30000 unauthenticated users per day. Would you place those webservers in the internal servernetwork and publish the website with ISA(UAG) to the anonymous users on internet? Or would you always need a DMZ for that?(zone outside FW without AD)

(in reply to pietergerritse)
Post #: 14
RE: Future of DMZ - 24.Jun.2011 2:10:04 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I think you have been given everything that is possible on the subject. 

Your perspective on "security" seems to be the idea that to make something secure you have to "stick it in a different network".  That is a very crude and rudimentary approach to security.  Much of the time it provides no (or very little) measurable security benefit.  With that being the case nothing we say to you would probably seem "good enough" because we have different starting points and different ending points on our views of security.

_____________________________

Phillip Windell

(in reply to pietergerritse)
Post #: 15
RE: Future of DMZ - 25.Jun.2011 4:29:44 AM   
pietergerritse

 

Posts: 12
Joined: 23.Oct.2008
Status: offline
I can't really understand your grumpy respond. I'm not the topicstarter, new to the subject and very interested. But at least I got contact :)

My perspective is really not "place it in another network and its secure". Reading back I can't see how you deduce that from my postings.

On topic:

-servers in my internal network are members of the AD
-servers in the DMZ (as we see it) are not members of the AD
-we have an isa array (not as fw, only as reverse proxy) that publishes some internal servers to the internet, but always for users that authenticate on ISA in the AD.

Right now I'm designing infrastructure for our new public website. That website gets 30000 anonymous visitors per day.

My dilemma is:

1) Should I place those webservers in the DMZ (outside the AD, and give regular http access from internet through our corporate firewall (checkpoint), like we would do in the past.

2) Or do I place the webservers in the internal network, in the AD (making it easier manageable), and give 30000 anonymous users access through the ISA array. Now I know that the unknown clients on internet only have network access to ISA (if you type netstat -a on those you dont see connections to the internal servers), but still: It doesnt feel right to let anonymous users through ISA on resources that are members of AD.

To summ it all up: Should we let anonymous users have access through reverse proxy on servers that are members of the internal domain?

I just wonder what network layout you guys use, to deal with this idea? Does that network have a DMZ? Or a zone without AD? I need inspiration :)

< Message edited by pietergerritse -- 25.Jun.2011 4:31:08 AM >

(in reply to pwindell)
Post #: 16
RE: Future of DMZ - 27.Jun.2011 9:29:10 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I can't really understand your grumpy respond. I'm not the topicstarter, new to the subject and very interested. But at least I got contact :)

It wasn't intended to sound grumpy,...but sometimes that happens and it comes across grumpy,..sorry.
Yes,...I thought you were the thread starter,..sorry again.

My perspective is really not "place it in another network and its secure". Reading back I can't see how you deduce that from my postings.

The entire idea of having a DMZ is based on exactly that kind of thinking,..so that is where I get that.  So it doesn't come from anything you specificially said,..it comes from the entire subject being discussed.  And again, ...I thought you were the thread starter until I looked closer,...this thread was started in the middle of last Winter,...I barely remember it at all.

I just wonder what network layout you guys use, to deal with this idea? Does that network have a DMZ? Or a zone without AD? I need inspiration :)

I my case,..absolutely no DMZ at all,..none,...and I have no interest in one.  Things are either inside the LAN on private IP#s or they are outside the LAN on Public IP#.  If they are inside the LAN they are most likey domain members but not in all cases.   If it is outside the LAN on Public IP#s then it is not going to be a domain member and never would be.

_____________________________

Phillip Windell

(in reply to pietergerritse)
Post #: 17
RE: Future of DMZ - 27.Jun.2011 2:04:43 PM   
pietergerritse

 

Posts: 12
Joined: 23.Oct.2008
Status: offline
quote:

ORIGINAL: pwindell

I my case,..absolutely no DMZ at all,..none,...and I have no interest in one.  Things are either inside the LAN on private IP#s or they are outside the LAN on Public IP#.  If they are inside the LAN they are most likey domain members but not in all cases.   If it is outside the LAN on Public IP#s then it is not going to be a domain member and never would be.


Oke, so if I understand this correctly:

You have computers(servers) outside the lan on public ip, and they are not domain members. (that is what i call DMZ, but that is just a term)

And you have computers(servers) inside the lan, mostly in AD but not all.

I presume you agree that having a server in AD is handy for management. Also you would agree that having the corporate AD in the outside lan is not a good idea.

Combining these principals I would like to place ALL server in the inside lan and in the corporate AD. And when needed i would publish a server to the internet with ISA/UAG.

Now as long as the internet users authenticate on ISA, that seems oke.

But would you place a corporate website with lots of anonymous users also in the internal lan and internal AD and publish it with ISA/UAG?

Where is your corporate website? oustide lan or internal/published?

(in reply to pwindell)
Post #: 18
RE: Future of DMZ - 27.Jun.2011 2:21:49 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You have computers(servers) outside the lan on public ip, and they are not domain members. (that is what i call DMZ, but that is just a term)

That would not be a "DMZ".  A DMZ is a semi-protected network,...it is more protected than being straight on the Public Network,...however is less protected than the primary LAN.

This is an example of a Back-to-back DMZ....
http://phillipwindell.files.wordpress.com/2011/01/simple-single-subnet-lan-with-isa-and-b2b-dmz.jpg

I do not have a diagram of a Tri-homed DMZ,..but a Tri-homed DMZ would be used with a single firewall and would be a dead-end network coming off the side of the Firewall on a 3rd interface.  I agree with the rest of the comments.



Where is your corporate website? oustide lan or internal/published?

I have both situations at the same time.  The primary website is outsourced and exists outside the entire system. Then I have a supplemental web site sitting on the LAN published via ISA.

UAG does not "publish websites",...it publishes Applications and is commonly known as an SSL-VPN solution.  It is ISA/TMG that publishes web sites.

_____________________________

Phillip Windell

(in reply to pietergerritse)
Post #: 19
RE: Future of DMZ - 27.Jun.2011 4:31:53 PM   
pietergerritse

 

Posts: 12
Joined: 23.Oct.2008
Status: offline
Yeah i know about the DMZ definition. We have trihomed btw.
I'm more focused on the AD factor. Should i publish an AD-integrated server to anonymous users. Or place it our DMZ where there is no AD.

I had an UAG chalk and talk with Microsoft engineers. They promoted UAG as an website publisher with the ability to publish apps too and do direct access. TMG as I read is more like a firewall and a outbound proxy too. And less enhanced on website, outlookanywhere and app publishing. To summ it up. If you dont need a MS firewall you dont need TMG. We have a serious Checkpoint cluster and dont need MS as a firewall.

http://www.microsoftnow.com/2010/06/tmg-or-uag-which-one-do-i-need.html
http://blogs.technet.com/b/ucedsg/archive/2010/08/16/do-i-use-forefront-tmg-or-forefront-uag-for-reverse-proxy-publishing-for-exchange-2010.aspx

(in reply to pwindell)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> Future of DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts