1
DMZ In a Box
2
What is a DMZ?

• As a military term
• As a computing term

3
DMZ Knowledge

• Stands for Demilitarized Zone, harks back to the
  Vietnam DMZ / 17th Parallel
• Its considered a network sitting between two
  networks
• Not part of the internal network nor directly
  part of the internet
• Used to house public services (mail, web, vpn,
  ftp, etc.)
• Machines in the DMZ should be considered less
  secure then those on the LAN

4
DMZ Diagram (wikipedia.com sourced)
5
Firewalls

• What is a firewall?
• A program or hardware device that filters
  information coming through one network to another
  (typically from the internet to private network).
• How do you manage it?
• Admins can allow traffic over specific ports/port
  ranges for both TCP and UDP traffic. These
  rules/policies could apply for individual
  machines or entire groups of machines.
• How do they control traffic?
• Three typical ways Packet filtering, Proxy
  service, and Stateful Inspection
• Packet Filtering packets are analyzed against
  filters/rules
• Proxy service requests to internet are subverted
  to proxy who fetches information and returns it
  to the requesting client
• Stateful Inspection Examines certain parts of
  packet and ranks it against known database of
  trusted information. Information is inspected
  going out to the internet and then as the
  response travels back to the network, if its
  deemed trusted by the database its allowed to
  pass.

6
Firewall Topologies

• Bastion Host
• One host filters all traffic between the internal
  network and the Internet
• Good for simple networks with no public
  services hosted.
• Issues? Benefits?

7
Firewall Topologies

• Three-homed firewall
• A server with three NICs acts as a packet filter
  between the corporate intranet and the internet.
• Advantages?
• Disadvantages?
• Ex.
• nic 1 Internal Traffic
• nic 2 DMZ network
• nic 3 Internet Traffic
• aka triple-homed firewall, screened subnet
  firewall

8
Firewall Topologies

• Back-to-Back Firewall
• Two firewalls are used to contain the DMZ from
  both the Internet and Internal network
• More secure
• Why?
• Downsides to this?

9
DMZ Topologies

• Beyond the back-to-back firewall
• Use of more NICs to create zones
• Use of more firewalls to create multiple DMZs
• VLANs to create zones within DMZ

10
Going Virtual

• To create a DMZ in a Box we need to use virtual
  machines.
• Lets do a crash course in VMware Networking ?

11
(No Transcript)
12
Of note

• VMware users two assigned Vendor ID ranges
• 000c29
• 005056
• MAC addresses for Virtual Machines are calculated
  based on the physical machines UUID and some
  file locations.
• Can use a static MAC, coded into config file.
• Internal network traffic between virtual NICs
  occurs with NO collisions and at faster than
  gigabit speeds.

13
DMZ at Work

• What we do
• Two Dell servers with VMware software installed
• Virtualized 14 physical servers into VMs
• Two Cisco PIX (Private Internet Exchange)
  firewalls in the back-to-back configuration
• Various VLAN implementations also in play
• 8U of rack space versus 35U consumption of former
  non-virtual DMZ. Less power, less cooling
  required, less maintenance, less service
  contracts.

14
The Main Attraction
15
Technology Behind the Example

• VMware Workstation 5.5
• DMZ created virtually within Workstation
• Consists of
• One Router
• One Windows XP host within the DMZ
• One Linux host within the DMZ
• DMZ Network 192.168.2.x
• GW 192.168.1.1
• Firewalls IP DHCP assigned (hopefully)
• Freesco Linux Router
• http//freesco.org/
• Open source linux alternative to Cisco appliance
• Runs off a floppy!
• Simple!
• My DMZ is somewhat cheesy. I know.
• Simply a Bastion topology DMZ
• Some quirks

16
Whiteboard Exercise

• What would this look like with physical
  hardware?
• In lieu of a Visio diagram lets visit the
  Whiteboard

17
Demo Time