Intermediate networks (Good practice or false sense of security)?

jstewart33 · ‎02-17-2009

I'm not really sure what you call them, but is it good practice to create an intermediate network between your private network and public side. For instance private 192.168.1.0/24 <---> intermediate 10.1.1.0/24 <---> Public. What benefits are there for doing this? What are some negatives? Please enlighten me.

Thanks

eddie.mitchell · ‎02-17-2009

I believe you're referring to a DMZ segment, and yes, they are always a good idea if you have Internet facing systems.

The basic principle behind the DMZ is to segment these systems such that if one were to be compromised via a targetted attack or via malware/worm,etc, the security breach would be contained and not able to spread to the internal (more critical) systems.

I'm sure some others on this forum could articulate this principle far better than I.

Hope this helps.

jstewart33 · ‎02-18-2009

Thanks for your response. I am familiar with the idea behind a DMZ and it's purpose and I agree it's a good practice. The reason I ask this question is that we are getting ready to revamp our network and replace it with more enterprise class hardware. Currently there is a dual-homed Linux box with a private and public interface. The private interface is the gateway to the Internet. The public side sits in another network and routes traffic to a firewall in the same network. Then the firewall obviously sends web traffic out through our ISP. I'm curious why this was done more than anything as I've inherited this network. Normally, in typical situations you would setup your firewall to NAT/PAT private to public. Then if you wanted a DMZ hang it off of another interface on the firewall and give it a network. Setup appropriate ACL to allow traffic to designated areas and voila. Anyways, I was told this was done originally because people were able to get around our content filter. Not sure of the details on how they were getting around it. Sorry for being so vague.

Thanks.

jeremyault · ‎02-19-2009

I'm sure there will be different opinions on this - here is mine.

I don't see any benefit to the intermediate network. As you mentioned, it's quite common to use a "three legged" firewall with an inside, outside and DMZ interface.

On the ASA for example, the interfaces are usually numbered with inside 100, DMZ 50, and outside 0. Traffic is always permitted from high to low but never low to high unless a) it's a response to a request from a higher number interface or b) it's explicitly permitted in on an ACL.

One big benefit to doing this "three leg" approach is that you can put an ACL on the outside interface to only let traffic in to the DMZ subnet but not to the inside subnet - making the inside better protected from the outside world.

In the event that the DMZ does become compromised, it can not initiate sessions into the inside network because it has a security level higher than the DMZ.

Having the intermediate network could be, in a way, an alternative approach to the "three leg" solution though not as elegant or effective. The intermediate network could be a DMZ with public servers which is further firewalled from the inside network.