[ale] Proper way to setup DMZ LAN

Wolf Halton wolf.halton at gmail.com
Sun Mar 26 14:15:05 EDT 2017 

Most places I have worked at do not allow direct Corporate_LAN to Internet
access.  It is a PCI violation, and bad practice, really.  All LAN traffic
goes through the DMZ, and there are 2 Routers/firewalls between the LAN
machines and the Internet at minimum.  With VLAN tagging, you could
probably use single Router/firewall setup.  The danger is informal trunking
between the VLAN segments that can lead to "Surprise" direct to internet
connections.  This is also a potential PCI finding, because each major
service must have its own server.  You might also consider setting up squid
as a a filtering proxy that checks out all HTTP and HTTPS traffic.

Wolf Halton
Mobile/Text 678-687-6104
--

On Sun, Mar 26, 2017 at 1:26 AM, Alex Carver <agcarver+ale at acarver.net>
wrote:

> I disagree about the LAN not going through the DMZ to get to the
> outside.  That's exactly how many places (including my workplace) have
> things set up.  There's a middle ground because in theory the LAN and
> the WAN both need to access the DMZ.
>
> Two routers chained together will work.  It's just a different set of
> rules and it simply makes the second router a "host" on the DMZ but you
> put more restrictive rules in place (no port forwarding) for anything
> beyond it.
>
> Now, there's technically a way to do a single router with your consumer
> routers as long as you replace the firmware with something that is
> smarter such as OpenWRT/Tomato/DDWRT, etc.  As an example, I have an old
> Linksys WRT54G running OpenWRT.  It has a five physical ethernet ports
> and the wireless card inside.  The built-in Broadcomm SoC can actually
> VLAN all five of those separately (through internal VLAN tagging).  So I
> could turn it into a five-zone firewall (WAN, LAN 1-4, and WifiLAN).
>
> You might be able to do the same if your Asus is supported by OpenWRT or
> similar.  You get the ability to reconfigure the SoC switch inside to
> create zones, the benefit of iptables, and advanced routing that the
> stock firmware just doesn't have.
>
> On 2017-03-25 21:46, Scott Castaline wrote:
> > So you're saying that my 2 router configuration won't work? If that is
> the case
> > what brand besides Cisco makes a 1 WAN to 2 LAN router? I say besides
> Cisco
> > because the only one I worked with many years ago were Cisco 2600 series
> > routers, which I loved at the time just not the price.
> >
> > On disability pay it's sort of off budget. What I was planning on doing
> was
> > taking one ASUS router and putting a NetGear 16 port switch off of that
> to drive
> > my DMZ LAN then the 2nd ASUS router would be off of the front LAN to
> create the
> > back LAN which would be the private LAN also with a 2nd NetGear 16 port
> switch.
> > The DMZ will have 2 game consoles, and 2 media streamers and 2 smart
> tvs. But
> > then I ran into articles on that say complete reverse of what I had
> planned also
> > using 2 routers. One of the articles endorses 3rd party firmware from
> Russia,
> > but I'm a little leery of that these days.
> >
> >
> > On 03/25/2017 05:09 PM, Jim Kinney wrote:
> >> The DMZ is a zone. One box or many. It is directly connected to
> internet and
> >> may or may not connect to the inside LAN. If it does, the firewall and
> routing
> >> is very, very specific. And, yes, firewall between big bad interwebs
> and DMZ.
> >>
> >> The inside, trusted LAN doesn't connect through DMZ network to outside.
> It
> >> connects to firewall/router and your internet demarcation line.
> >>
> >> So 3 nic Linux box. Nic 1 goes to internet, 2 is DMZ and 3 is private
> lan.
> >> Iptables on the box. LAN and DMZ are separate subnet with the box as
> their
> >> gateway. DMZ often has internet routable IPs. LAN usually does not and
> is
> >> NAT'ed. DMZ can be NAT'ed as well. If DMZ is not NAT'ed, nic 1 will
> need to in
> >> bridge mode.
> >>
> >> The terminally paranoid will add a second firewall box on the wire
> between nic
> >> 3 and the internal LAN.
> >>
> >> On Mar 25, 2017 4:42 PM, "Scott Castaline" <skotchman at gmail.com
> >> <mailto:skotchman at gmail.com>> wrote:
> >>
> >>     So I would put the DMZ on the front or first LAN and then
> everything else
> >>     on the back or second LAN? And also the DMZ is a single device and
> not the
> >>     LAN itself? What if I have multiple DMZs on the first LAN can I do
> that?
> >>
> >>
> >>     On 03/25/2017 12:30 AM, Alex Carver wrote:
> >>
> >>         On 2017-03-24 21:05, Scott Castaline wrote:
> >>
> >>             Okay I've had the cable pulled in my house I was able to
> unbrick an
> >>             older ASUS router which is running ASUSWRT-Merlin which has
> the radios
> >>             shutoff for the access part of it. Many years ago I remember
> >>             setting up
> >>             several dual LANs, the first LAN was unsecured and all of
> the web
> >>             facing
> >>             gear was on that. Then a second router with LAN to LAN
> interfaces
> >>             which
> >>             connected to LAN 1 and LAN 2 was off of this router and was
> a secured
> >>             network. I thought this what a DMZ was, but on google
> searching DMZ
> >>             structure I'm finding that the DMZ is a single server by
> itself. The
> >>             other thing that I'm finding is that the secured LAN is on
> LAN 1
> >>             and the
> >>             DMZ is on LAN 2. That doesn't make sense to me.
> >>
> >>             Can anyone enlighten me with what would be the correct way
> of
> >>             doing this?
> >>
> >>
> >>         You can make up a DMZ using a three port router or you can
> daisy chain
> >>         two routers with the link between them being the DMZ. Your LAN
> would
> >>         hang off the back router farthest from the WAN.
> >>
> >>         Either way you're just setting up a bunch of packet filter and
> routing
> >>         rules.  The advantage of the dual router approach is that it
> would
> >>         theoretically be harder to break into your LAN because two
> routers would
> >>         need to be compromised.
> >>
> >>         A single router approach needs a router that can handle all
> traffic.
> >>         The dual router approach only needs enough horsepower on the
> front
> >>         router to handle the traffic.  The back router, in theory, sees
> less
> >>         traffic.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170326/c44f8c06/attachment.html>

More information about the Ale mailing list