11.2 Multiple DMZ Design | The Practice of Network Security: Deployment Strategies for Production Environments

The multiple firewall design can be extended even further, creating multiple DMZs to protect corporate data. A multiple DMZ design allows administrators to further isolate public servers by placing each server inside a separate DMZ. Many security experts argue that a multiple DMZ design provides very few benefits, ^[1] and the added capital expenditure combined with the increased network complexity negate any benefits that are gained .

^[1] Except to firewall manufacturers

There are two types of multiple DMZ designs that are generally implemented:

One which adds more layers to the current design.
One which isolates each of the public servers into their own DMZ.

The first, an extension of Figure 11.4, simply adds more layers to the current design. This type of design, illustrated in Figure 11.6, is most useful when a public server needs to query a private server. In Figure 11.6 the web server has to query the database server. Rather than put the database server on the private network, it is moved to a separate network, sandwiched between two firewalls.

Figure 11.6. A multiple DMZ network, in which the database server is isolated from the private network. To ensure the integrity of the database server, a separate set of firewalls is added, and a DMZ is created.

graphics/11fig06.gif

The same types of rules that were used in the original DMZ design apply here. The first set of firewalls allows traffic from any source to the web server on Ports 80 and 443. The second firewall only allows traffic from the web server to the database server, on Port 3306 (the MySQL port). The third firewall is used to connect to the private network. Again, the third firewall is configured so that it will only allow certain types of connections from the database server through to the private network.

This design makes individual firewall management simpler, by only needing one rule for the second and third firewalls. Overall, it can make network management more difficult by increasing the complexity of the network. The more devices added to a network, the better the chance of a security breach.

A different type of multiple-DMZ design is to isolate each of the public servers into their own DMZ. Rather than use multiple firewalls, this design (Figure 11-7) relies on multiple interfaces on the same firewall. This type of multiple DMZ design isolates the public servers into private networks. Because the firewall terminates each of the networks, a DMZ is created for every server. The argument for this type of design is that, if an attacker gains access to an organization's web server, this design prevents the attacker from gaining access to any of the other public servers.

Figure 11.7. Rather than create an additional physical DMZ, this design uses additional interfaces on the firewall to isolate the networks

graphics/11fig07.gif

Of course, if the public servers are secured properly, the attacker should not be able to gain access to them anyway. Creating a multiple DMZ network design in this manner adds complexity to the firewall rule sets, and can make the firewall more difficult to monitor and maintain. In some cases, particularly when dealing with sensitive information ”such as a VPN ”using a secondary interface to create a DMZ makes sense. However, any new firewall or network complexities should be weighed carefully against the level of security benefit that may be achieved.