Securing Your DMZ by E8S4V8u


									                                                                                            Kelley 1

Jake Kelley

Chuck Pease

Securing Business Applications

8 December 2007

                                  Securing a Demilitarized Zone

       When setting up any network, especially a corporate network, the DMZ is one of the

most important security areas to address. Because any anonymous person can access this area

of the network, it is a network administrator’s vital duty to ensure that this area is updated and

secure against both focused attacks and less focused bot attacks.           Because almost every

company requires common services such as web sites, email access, and secure remote access, it

is very important to ensure that these services are locked down and not vulnerable to common

distributed attacks.

       When people think of network security, it is generally assumed that they are thinking

about internal security.   Things like passwords, firewall security, and access controls are

generally at the forefront of any discussion about security, but it is important to realize that the

DMZ can provide a very easy avenue of access for hackers. Because many viruses and such are

concerned with creating “zombies” which are really bots that constantly attack known

vulnerabilities on a world-wide scale, we must protect our network at this area – the gate. It is a

concern which every administrator should address because it affects the network as a whole, and

can impact the company’s finances as well as an administrator’s stress levels. Because part of

my job involves monitoring firewall log files for attempted attacks, I know that the majority –

90% and above – of attacks originate from zombie PCs, and are targeted at the DMZ on ports

associated with common vulnerabilities. Ensuring that your firewall is protected from access on
                                                                                            Kelley 2

these ports can prevent a large majority of problems that people face by being visible to the

internet in an age where spyware and viruses are so pervasive.

Network Permissions and Services

       It is very important in any network to ensure that files and services are completely

secured from anyone who would have access to them, but should not be allowed to view or

modify them. Such documents could be things like manuals that are in place for all employees

to use. The employees should be allowed to view them, but not to make changes without

notifying a manager and undergoing a process to make these changes. They should certainly not

be allowed to delete them either. Using NTFS permissions is a great way to accomplish such a

task. In this example, an administrator could grant certain users read permissions to this file, but

not modify. This also applies to documents that a company would want users to have access to

from the internet. A perfect example would be a web page. Users on the internet should be

able to view the web page, but should not be allowed to modify it's contents. Securing the web

page document with permissions to only allow IIS users (or whatever program you are running)

to view, but not modify, ensures that everyone has access to it, but not everyone can make


       Securing services can be of equal or greater importance to an administrator. Because

some services have to be grated control over documents (such as SQL – it must be allowed to

interact with a database document, from a given input on in a program or on a web page), they

need to be secured from misuse. In the example of SQL, users on the internet should be allowed

to use SQL's functionality to view lists of products and services, but should not be allowed to
                                                                                             Kelley 3

abuse it's functionality by gaining access to files through an unprotected power user type of

account. By restricting the user that SQL uses to interact with a SQL database, you can ensure

that users will only be able to view the contents of your database, and even if they try to, the user

would not be granted sufficient rights to modify a database or any other file on the server. This

is especially important because users have access to your network through systems like SQL

frontends, and an administrator must be vigilant to ensure that their activity is restricted to only

what they need to be able to do, and that they are not able to gain any unwanted access or


Encryption – Secure Access

       Encryption is a very important aspect of network security. It can be used to ensure that

home users have access to a company's internal network, enabling cost-effective telecommuting.

It can also be used to ensure that a company's sensitive documents are protected from unwanted

eyes, and malicious use. Encryption can be used in a couple of very important ways. Firstly,

when creating a document, depending on it's importance, you can choose to have it encrypted

from the start with a type of encrypting file system. This enables us as administrators to keep

valuable information viewable to only a select group of people that we choose. Another method

(the most commonly found) is the encryption of transmitted data.            This involves using a

protocol to jumble the contents of a message and make it unreadable before transmitting it over

public areas. Additionally, you can choose to set up digital certificates, which provide a means

of identifying each user involved in the transmission and making sure that they are indeed who

they claim to be.
                                                                                            Kelley 4

The level of encryption you choose for your company depends on what you are protecting, as

well as considering how much you will have to protect. I will outline three generic levels of

protection that I believe are fairly common in workplaces.

       The first level of protection is designed for the majority of companies, and is generally

sufficient when there is no mission critical data being sent regularly over the internet. This level

of protection involves having very secure perimeters, and a well designed network that facilitates

security from the beginning. In most cases, having passwords set up all around the network,

using file permissions and subnetting your network into secure areas is enough protection to

prevent attacks from occurring. Also, enabling logging will provide you with a method of

responding to attacks if they do occur. When sending data over the internet, a VPN connection

is set up at the firewall for users to connect to, thereby encrypting their data transmissions over

the internet. These methods of security are fairly commonplace, and generally are all that is

required by almost any company because most companies do their business internally, and the

most important factor of security is securing the internal network so valuable data is protected.

       Another less common form of overall security, with regards to encryption, is high

security in a small environment.      This includes having encryption enabled on files (EFS),

encryption with digital certificates enabled for all web browsing and email transmissions, and

having VPNs enabled with digital certificates to authenticate users. This level of protection

might be feasible in very small workplaces where the administrator is paranoid about security,

and has all of the tools to incorporate such a high level of protection. It is generally not seen

very much though, because it is overkill when you are not dealing with highly sensitive data, or

commonly transmitting such data over public lines.

       Finally, high security is required in government institutions that work with very sensitive
                                                                                              Kelley 5

documents, and transfer these between departments. They use higher than 128 bit encryption as

a standard, and do so on all transmissions. A lot of their protected documents are also encrypted

at a file level to ensure that if there was a network breach, the intruder would still need to decrypt

a document to view it's contents (as well as crack the password of a user who has sufficient

access to that document, or was involved in it's creation). All internet browsing is encrypted

and verified via digital certificate, and any access to the internal network is verified via VPN


DMZ Services

       DMZ services are a crucial aspect of any network, and a highly important area of

security. Because any anonymous user has access to these services, it is very important to

ensure that these services don't have access to the network in any manner other than the way that

you intend them to. They should only be for viewing purposes, and should be secured and

patched against threats which would enable them to gain access to modify files, or view internal

documents or network structure. This is generally accomplished in a couple of different ways.

       One method of setting up a DMZ is to have a firewall with 3 network cards – one which

plugs into the internet, one which routes data to the internal network, and one that routes data to

a DMZ. The internet card would be secured with an incoming firewall to only allow access via

ports regarding the DMZ, and nothing else. The DMZ card is not very important as far as

configuration because the data it is routing has already been filtered through the external internet

card. The internal card would have an additional filter for incoming data, ensuring that it

originated inside the lan, and that it is not malicious. It would also have an outgoing filter, so
                                                                                            Kelley 6

traffic from the internal lan such as viruses could be contained from doing any further damage.

This approach works pretty well, but if a hacker was familiar with the firewall or OS you are

running as a gatekeeper, he would be able to crack it and gain full access. Therefore the next

option is generally viewed as the most secure approach to a DMZ.

       Using two firewalls in a DMZ configuration is highly desirable because it creates another

barrier to entry in case the first firewall is compromised. In this configuration, one firewall has

a port exposed to the internet for external access, and filters all incoming traffic, ensuring that

only relevant, DMZ-related connections are coming in, or that connections have been established

already outgoing from the lan. On the other side of this firewall resides the DMZ servers, with

FTP, VPN connections, DNS services and web page services set up. This way all traffic

heading to the DMZ can sit in a sheltered area that is not a part of the protected internal network.

On the other side of these DMZ servers is another firewall. It is set up with additional filters to

ensure that traffic entering and exiting the internal network is genuine and verified. Also, it is

important that this firewall is made by a different company than the other firewall. This ensures

that even if a hacker was to compromise the first firewall and gain access, they would still have

to use a different method to compromise this internal firewall and actually gain access to a

company's internal network. This also means that they would have to crack two separate

passwords, and utilize two different avenues of attack if they were to be successful in hacking

into the network.

FTP – File Access

       FTP services are generally enabled within a DMZ, and are historically an important
                                                                                            Kelley 7

aspect of any network. These servers can host many types of files, and it is important to keep a

secured backup of them internally, in case the FTP server is compromised. Also, making sure

that external users only have access to a certain user, and no anonymous, or guest access is

critical to keeping abuse at a minimum.

VPN – Remote Access

       A company VPN is a highly important part of doing business these days, and as such it is

something that should be highly protected. An important design consideration regarding VPNs

is that they should be placed in a separate DMZ space, away from other internet-facing services.

Minimizing access to the VPN server, and making it less likely that internet users will know of

it's existence. Also, making sure that it isn't affected by traffic entering the DMZ, or exiting the


HTTP - Web Services

       Web services are the most frequently thought of when referring to a DMZ. Almost every

company has a website, and for that to have the least amount of security implications, it must be

placed in a DMZ. Because everyone is jumping on the internet bandwagon, they all need to

have a web server, and this server must be kept outside of the internal network for obvious

security purposes. If a user is granted access to any of your servers, it makes sense that this user

could then look around the network for security flaws and loopholes, so by placing your web

server outside of the network, you ensure that any possible damage is minimized, and critical
                                                                                            Kelley 8

data loss is prevented entirely. Keeping this server patched and up to date is an important

concern, because this will minimize the amount of time you have to spend repairing any possible

issues created by external users messing with this server. Also, keeping backups internally after

every revision to the website ensures that even if it is compromised and/or destroyed or defaced,

you will be able to quickly get it back up and running in the state it was previously in. Another

major concern regarding security is frontend access via a website. If your website includes any

fields for entering data, then it also contains a potentially exploitable vulnerability. This is

called SQL injection, and hackers use this method to return information from a company's

database regarding data that they shouldn't have access to. Common locations for SQL input

fields are user logins and search functions. Because these can potentially be such risky areas of

security, it is important to make sure that any database access that is granted through a web page

is secured in every way possible. This includes methods like data cleanup, string substitution,

etc... for making sure that a user's entry into that field does not tamper with the database itself.

Also, it is a good idea to keep any database access that a user would have to a minimum. For

instance, don't locate such data in the same database as one that stores company accounting

information, or information regarding user accounts/passwords.

POP3 / SMTP - Company Email

       Email services are probably the biggest target for internet “hacking” in the DMZ. These

services are frequently abused by spammers and bots that reside somewhere in the wild of the

internet. Because of this, the mail servers must be located in the DMZ area just for these

services, and also have special firewall rules regarding incoming and outgoing SMTP and DNS
                                                                                           Kelley 9

traffic. Additionally, these servers should be configured with mail relay settings, ensuring that

email only travels to and from trusted email partners, as an open relay is the largest target for

spam abuse.     Open relays are a huge target for tons of bots out there, just waiting for a chance

to find an open relay and set up shop. Spammers and hackers both use open relays because they

accept emails from any outside source, and will forward it to any source. This means that a

malicious user or program would be allowed to send mail to this open relay, and when the relay

sends it, this mail or connection will become anonymous. This is a huge factor for malicious

intents – needless to say, just don’t allow this type of access.


       One very important task involved in securing your DNS server it to keep it dedicated to

DNS functions. Having additional software installed can open up holes that can be exploited,

and is unnecessary. This rule applies to all of your servers company-wide, as well as servers

located in the DMZ – keep your operating system patched and up-to-date, and keep any program

you must have installed up-to-date as well. Keep your administrator account as well protected

as possible to prevent hacking – again this applies to all servers in the internal network and

DMZ. Ensure that all default shares are unshared, and that anonymous access is not allowed.

This prevents a large amount of “default hacking” from occurring by bots that crawl the web.

Keep all of your unused ports closed.         This serves as more of an overall DMZ security

consideration, but it deals with DNS as well. Ensuring that outside access to DNS is disabled

will prevent a lot of unnecessary problems in the future. Keep your zone transfers as secure as

possible. One option that may be available would be to only allow zone transfers to server IPs
                                                                                           Kelley 10

that you specify. This provides very fine-grained access to DNS services, and keeps intruders

from gaining access to internal records.      Ensure that DNS zones are all Active Directory

Integrated, and zones are only transferred to servers listed in the Name Servers tab.

       As you can tell, securing the DMZ is not a critical role in network security, but it is an

important one. With a DMZ we are basically putting our servers within full view of hackers and

malicious bots that would love to gain full access to these servers and wreak havoc. It is our

responsibility to ensure that these servers are configured and patched in a way that minimizes

risk, and requires the smallest amount of administrative intervention in order to save money and

keep the network administrator focused on more important issues. While the data contained on

these servers is generally not needed to be secure, or critical to the operation of a company, it is

very important to prospective customers and clients that the data is there and functioning

correctly. This is why these servers must be as secure as possible in the face of the entire

internet – not a very simple task. But by taking the steps outlined above, you at least take one

step towards being more secure, and able to respond to threats in the quickest and most efficient

manner. You will also be eliminating the vast majority of threats from occurring in the first

place, which is the most important step in my opinion.
                                                                                    Kelley 11

Works Cited:

Flynn, Hal, et al. Designing and Building Enterprise DMZs. : Syngress, 2006.

September 1999 SECURING WEB SERVERS. 10 Sep. 2002. National Institute of Standards and

Technology. 7 Dec. 2007.



Magalhaes, Ricky. Securing Windows 2000 DNS by using configuration. 23 Jul. 2003. 11 Dec. 2007.



To top