3

Hi basically I'm doing a vulnerability assessment for at the moment. The setup includes a DMZ with a single firewall and an internal network (3 legged network model employing a single DMZ) but on the network all internal IP addresses have access to all DMZ hosts on any port.

What kind of vulnerabilities could be present with this kind of setup?

Thanks!

user1949280
  • 61
  • 1
  • 2

1 Answers1

5

The same vulnerabilities that exist between two internal workstations on the same network.

Things such as:

  • NetBIOS access
  • Accessing admin shares (C$) or any shares for that matter
  • Brute forcing DMZ accounts over the network
  • Remote registry access
  • RDP access

That's just for starters.

It's bad practice to allow unrestricted access from internal resources to DMZ assets. Why you ask? Insider threats - which could essentially be broken down into 3 categories:

  • Employees with deliberate malicious intent
  • Incompetent employees who may accidentally cause an outage
  • Internal machines that have been compromised and are part of a BOTnet / controlled by a remote attacker.
k1DBLITZ
  • 3,933
  • 14
  • 20
  • Ok thats a great answer! So the threat is predominantly going to come from inside the network (if not infected by malware). Going to assume best practice for mitigation would be restrict access from inside the internal network aswell? – user1949280 Sep 30 '14 at 17:52
  • 1
    Correct. In my opinion, the chance of a workstation being compromised by an outside attacker is exponentially higher than a server being compromised by an outside attacker. Workstations are operated by users who have a propensity to click things, have some form of direct internet access, and tend to use highly vulnerable programs like Flash or AdobePDFs. That attack surface of a workstation is greater than that of a server. This means the internal workstations cannot be assumed trusted from a DMZ point of view and should not have unrestricted / unfiltered access to DMZ assets. – k1DBLITZ Sep 30 '14 at 18:02