0

I have an organization's network, containing 4 zones: inside, outside, DMZ1 and DMZ2. DMZ1 contains external-facing servers - DNS, WEB and Mail servers. DMZ2 hosts internal servers- Radius, DHCP, Database, File and Application servers. All the zones are connected to the enterprise edge router. The problem is I don't understand what kind of traffic should be permitted between zones. How I see it:

Inside - DMZ1: The traffic should be inspected and inside should be allowed to get web, DNS and mail traffic on ports 25,43,80,53. All the other traffic will be blocked.

Inside - DMZ2: Inside should get packets from radius, dhcp, database, file and aplication servers.

Outside - inside: traffic blocked, only VPN allowed. (Company has two separate locations and vPN will be used for communication)

DMZ1 - Outside: All the servers should be seen from the internet. (Not sure)

DMZ2 - Outside: All the traffic is blocked.

I'm very new to networking and security and I might have a lot of mistakes. I would really appreciate the help to figure out what traffic should be passed between these zones to make the organization runnable.

Student777
  • 1

1 Answers1

0

All the security must be seen by input-output. Just think about only the first packet (all the other ones are taken by the connection tracking, except if your firewall don't support it).

So make a matrix with all the zones (inside, outside, DMZ1 and DMZ2) in input and the same in output. In each case, you must define the allowed protocols with associated ports. If a case is empty, the traffic is blocked. It a rule is not defined, the default rule is : DROP the packet.

Then you will be able to create the rules.

Example : in your case, you must have a block

  • "outside-DMZ1" where the servers are seen from Internet. Each server IP must be linked to the associated tcp/udp port.
  • "DMZ1-outside" must only allow 80 and 443 (to updates) and 53 ports (to DNS) from DNS server (You may want a proxy to allow 80/443 only from one host)
  • "outside-inside" must be empty : no connection allowed from outside
  • "inside-outside" : defined the allowed rules like 80/tcp, 443/tcp, 53/udp, 53/tcp...

In each case, try to be the most restrictive (limit from IP source, destination, protocol, port).

At least, I suggest to not name DMZ2 as the external users never use these servers. You may name it "ServersZone"...

Dom
  • 6,628
  • 1
  • 19
  • 24
  • Thank you so much for the answer! But I still have questions:1. "outside-DMZ1" - Does it mean that others from internet can access my DNS,WEB and Mail servers? I think I don't understand what "servers are seen from the internet" means. 2. "DMZ1-outside" - is it necessary to use proxy? I know proxy is an intermedietary but not usre what it does in this case.3. "inside-outside" - If I permit 80/tcp, 443/tcp, 53/udp, 53/tcp, it means that the inside will recieve that traffic, right? 4. What about communications between DMZs or between DMZ1 and inside? Sorry, for questions,I'm just very confused. – Student777 Dec 12 '20 at 14:46
  • 1. Theorically, the DMZ is used to put the servers open from Internet. So "outside-DMZ1" should be the rules to allow/deny the connection from "outside" to "DMZ1". 2.Proxy is not mandatory : the servers can directely go to internet to get their updates. 3.Inside is the source of the request and outside the destination. The reverse is "outside-inside" where there should not be any rule. 4. No Comm between DMZ except if needed ! – Dom Dec 12 '20 at 18:22