Creating a Poor Man’s DMZ Part 1 - Using TCP/IP Security
A common issue that pops up on the www.isaserver.org web boards is how to configure a DMZ segment on a trihomed ISA Server. Setting up a trihomed ISA Server with a directly attached segment acting as a DMZ is fairly simple. To set up a trihomed DMZ you need to comply with the following:
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
The last statement is especially important. The reason you create a DMZ segment is to segregate Internet traffic away from your internal network. No inbound traffic should ever move from the DMZ segment to the internal network.
All of these designs violate the integrity of the DMZ. DMZ hosts are “sacrificial lambs” and you should expect them to be compromised. It makes no sense to allow communications between DMZ hosts and the internal network if you expect these hosts to be compromised (in general, there may be exceptions).
Multiple Internal Interfaces – The Poor Man’s DMZ
The simplest approach, and the one we’ll cover in this article, its to use TCP/IP Security. TCP/IP Security is available in Windows NT 4.0 and Windows 2000. TCP/IP Security filtering allows you to control what inbound packets are accepted on a host interface. Key features of the TCP/IP Security include:
TCP/IP Security is helpful in controlling inbound access to the server on the Poor Man’s DMZ segment but does nothing to prevent outbound communications from the server on the DMZ segment to machines on the internal network. TCP/IP Security filtering is just one tool in your security bag. You’ll need to use IPSec Policies and/or RRAS packet filtering to control outbound traffic from your Poor Man’s DMZ segment.
Configuring TCP/IP Security
Perform the following steps to configure TCP/IP Security:
The trihomed DMZ should be considered a kludge. An actual DMZ is bordered by two security devices. A trihomed DMZ provides a single point of failure in your security scheme. When you implement a proper DMZ, using two security devices, the edge security device can fail and your internal network is remains secure. The machines on the DMZ may be compromised, but that is the nature of the DMZ bastion host.
We all have to use kludges from time to time, and that’s why there’s the trihomed DMZ. If you can’t meet the requirements of a true trihomed DMZ, you can use private addresses and make a Poor Man’s DMZ. In this article we went over one method you can use to control access to servers on the DMZ segment. In the second part of this series I’ll go over how to configure IPSec Policies to control inbound and outbound packet filter to and from DMZ servers.