Years ago, when I was a student, a network security professor taught me in a class what a DMZ is. The architecture he used in his slides was similar to this one: Now that I got employed, my boss, a security engineer with 10+ years of experience has a different point of view. For him, a DMZ should not be placed in a "sandwich" between the LAN and internet. Instead, it should be like the one illustrated below:
When searching with Google for network architectures with a DMZ, I found different representations and I got even more confused. So my question is, how should a DMZ be placed in a highly secure network architecture? Is the first representation OK from a security point of view?
One of the reasons it is confusing is because of the change in the architecture of firewalls over the past 15 years and because in the top diagram, it's not clear if the connection to the internal firewall flows through the DMZ machine or not. Modern firewalls can logically implement both the internal and external firewall pictured it the top diagram, so there's the question of physical vs logical. Also, in general, the DMZ machine should not be able to initiate connections into the LAN, so the top diagram should show 2 lines from the external firewall, 1 to the DMZ and 1 to the internal.
Commented Apr 22, 2012 at 17:34csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf [Section 8] show how we can further enhance overall security for the web servers.
Commented Aug 21, 2014 at 21:51The two are functionally equivalent - the DMZ is effectively in a sandwich, as it has to have connections from the outside world firewalled, but also have firewalls restricting access from it to the internal network.
While the latter diagram is often what happens (for cost reasons - you need less firewalls) the first one is considered safer as you can use two different makes of firewall, which helps avoid an attack on the firewall breaching both of them. Where you use one firewall, you use sets of rules for each direction and each connection - and functionally this is the same as the sets of rules in the second example.
This is just a slight improvement in security, as generally you don't attack the firewalls - you use the open ports to go straight through and attack the webserver, mailserver, or even pass straight through to attack the database, but layers of security all help.
answered Apr 7, 2012 at 16:31 Rory Alsop ♦ Rory Alsop 61.5k 12 12 gold badges 118 118 silver badges 324 324 bronze badgesSpot on. Note also that many firewall configuration "wizards" usually offer both of these as templates to set up. Also take into account that routing between the zones may be an issue, and can be trickier to implement and enforce one way than the other.
Commented Apr 19, 2012 at 22:07Yes, but as red team it is always fun to attack the core security system and have total pwnage that way ;)
Commented Apr 19, 2012 at 22:25I disagree that the two are functionally equivalent. In the bottom diagram, all you need to do is compromise the firewall to get full access to the internal LAN. As pointed out by others, this not so hard to do in many cases because of a mistake in the firewall configuration. In the top diagram, you have to get through 2 firewalls to get to the internal systems. The second firewall can generally have a much more closed configuration, and thus be harder to misconfigure or compromise.
Commented Apr 22, 2012 at 17:22The key is defense in depth between security domains. The extent of the deployed architecture will be dependant on the resources available, including financial limitations and technical capabilities.
Defense in depth
Defense in depth is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. It is a layering tactic, to mitigate the consequence of a single security control failing. Wikipedia
Security domains
A security domain is the determining factor in the classification of an enclave of servers/computers. A network with a different security domain is kept separate from other networks. Wikipedia
Implementation
For the purposes of determining controls between security domains you could define; the internet as untrusted, the DMZ as semi-trusted, and internal networks as trusted.
Therefore, you would employ multiple layers of security controls between the internet and your DMZ, which could include: L3 firewalls, IPS, AV, Reverse-proxy/Load-balancing, L7 filtering.
From the DMZ host(s) back to your internal network, you would employ additional layers of: L3 firewalls, L7 filtering (e.g. RPC), IPS/AV.
Least privilege access between security domains is also key to maximise the effectiveness of the security controls.
I would advise no, due to a lack of defence in depth. There is only a single access control between the Internet-DMZ, and DMZ-LAN. Typically a highly secure architecture would have vendor-separation, and layers of access controls (L3 FW, WAF, IPS, AV, etc).
answered Apr 8, 2012 at 0:58 1,526 8 8 silver badges 11 11 bronze badgesThere are absolutely no absolutes in security.
From a training perspective - I'd say the first is more clear. It shows the concept that the outside world goes through these various layers and that it's easier to hit the DMZ and presumably what's stationed there is lower risk.
It's also better from a layered defense point of view - as pointed out in other answers very nicely.
But it's less pratical from a cost point of view. And I've seen many, many variants on the lower diagram - all segmenting networks for various reasons, trying to do more with less for various cost or other practical reasons.
I don't honestly believe there is a "right way" or a "right diagram". Factors include:
I'd say, if your boss is claiming that his drawing is the absolute "right way" - he's out of his mind. there's plenty of public examples to counter that.
If it's the clearest way to describe the thing you are working with, then he's right.
answered Apr 18, 2012 at 16:24 bethlakshmi bethlakshmi 11.7k 1 1 gold badge 29 29 silver badges 59 59 bronze badgesI'll repeat some things others have said, but here it goes.
First of all, I'd think about how much security is desired, the cost to achieve it, and the problems that will arise if something fails and the comunication is lost between the secure-zone and the internet.
Your cenario looks a bit more sofisticated, because there are more layers from the dark-world until your secret data is reached. But it also adds more costs, more points-of-failure exists.
The second cenario is as-secure-as the firewall is. Getting the DMZ compromised won't make it easier to attack, since it has to go through the firewall, and the firewall is the piece of resistance in all the concept.
And sorry, but if the question was only about "which one is correct: two firewalls or a single one?", I couldn't find any reference to decide it.
answered Apr 16, 2012 at 20:48 woliveirajr woliveirajr 4,492 2 2 gold badges 19 19 silver badges 26 26 bronze badgesI am not clear on what you mean by a "highly secure network architecture". You would need to consider in more detail what are your security objectives, information security requirements and the threats landscape in which you are evolving to design and implement appropriate security controls.
I will however try to answer your question at a high level.
Yes, the first security architecture is OK from a security point of view in general. There are variations of this architecture (e.g. do you attach the DMZ to the external and/or internal firewalls and/or in-between) but I do not believe it is relevant to your question at this stage.
My understanding is that this architecture used to be more popular at a time when firewalls had multiple known public vulnerabilities in their implementation that would permit to bypass or even exploitation of the firewalls themselves and in the absence of other mitigating controls.
In using a different implementation for your external and internal firewalls, you are just applying the principle of natural selection to your architecture and it is generally a good thing: if one implementation is vulnerable to a specific attack, the same attack may not work on a different implementation if their respective traits are dissimilar enough. You are hopefully removing a single point of failure (from an implementation perspective) of the "firewall security function".
Of course, depending of your information availability requirements, you may need to consider clustering your external and internal firewalls among other things.
The second architecture is also valid from a security perspective and I believe it is now more popular than the first one (cost helping). You have a potential single point of failure of the firewall security function. However, most organisations would have (hopefully) realised by now that you cannot rely on your firewall only to provide security services. Routers/switches/host firewalls/etc. can all contribute to the security posture of an organisation thus mitigating some or all the damage caused by a compromise of a (single) firewall implementation. It also appears that firewalls are a bit more solid nowadays and that attacks have shifted to higher but softer OSI layers e.g. applications.
I would consider the second architecture for most deployments. I may consider the first architecture in some specific circumstances including but not limited to security objectives and requirements, potential attackers' motivations and more importantly, resources.