Hardware firewall and DMZ machine - put what services where?

At the moment, I have one server doing all of my internet-related
functions: firewall, web server, ntp server, rsync server, ftp server,
mail server, etc. This feeds my office LAN, the "trusted network" on
eth1, and the box connects to the net on eth0, with Shorewall doing the
management between the two. I've got the "norfc1918" option set on the
NIC connected to the net to prevent anything to do with the trusted
network, which is in Class C address space, getting to the outside.

I'm learning more about security and have come across the school of
making a DMZ machine to expose to the outside world, which makes sense
to me as my website runs php and if it does fall over, at least that box
can't get into my local lan and my personal files.

I've just acquired another machine and wish to make it into a hardware
firewall with 3 NICs: eth0 to connect to the net, eth1 to connect to the
existing box (which will now lose its firewall function and become a DMZ
machine with web/ftp/mail etc.) and eth2 to connect to the trusted
network.

Now my questions are...

obviously the DMZ machine will host web and ftp to the outside world. I
assume it's also safe to leave the mail server stuff on it as well? I
think it would be better to have an extra box on the trusted network to
host the mail, but cost rules that out for me at the moment so mail's
going to have to live on the current box. Is there any danger in leaving
mail services on a DMZ machine, and if so, what can I do to improve the
security? The trusted network runs machines that have to use POP3 to get
mail into their local hard drives. I'm just a little concerned about
having a POP3 server and an smtp entry point sitting outside the trusted
network, even though it's still connected behind the firewall.

One aspect of the current web server setup is that I have to connect to
it via samba to transfer website files from a WindoZe machine, whch is
the web authoring box. At the moment, the samba security is set so that
(of course) it uses encrypted passwords, is limited to only one possible
user, and only allows a connection from one IP address on the trusted
network (the WindoZe box). I'm fairly sure this is good enough for the
setup as it is now, but is this still good enough for when samba is
sitting out on the DMZ machine? I think it is, but I'm no expert. Would
it be of any advantage to remove samba from the DMZ machine and make it
so that I have to ftp the files over the the http docs directory
instead? Same goes for the FTP server: at the moment I have a samba FTP
share setup to place and retrieve files for the trusted network. Keep it
as it is or make all communications via FTP?

There are some services that are needed by all of the machines on the
network, wherever they are: the current internet box is also an rsync
and ntp server. In the new topology, where is it best to place the rsync
and ntp servers, assuming there's a risk involved about "don't care"?
All of the LINUX boxes need to rsync to the one reference machine, so
where do I put that? On the DMZ machine or on the firewall machine?

Likewise, all machines need to set their clocks to the one reference
machine, so does ntpd live in the DMZ or in the firewall machine, or
does it simply not matter?

Finally, the matter of a DNS server, which is only used to point the
outside world to the website the DMZ hosts. Where should that live - DMZ
or firewall? DHCP server? It's only used for allocating addresses on the
trusted network.

As I said, I'm no expert, but I know enough to not just casually assume
that 2+2 = 4 when it comes to networking and security.

<snip>

> Now my questions are...
>
> obviously the DMZ machine will host web and ftp to the outside world. I
> assume it's also safe to leave the mail server stuff on it as well? I
> think it would be better to have an extra box on the trusted network to
> host the mail, but cost rules that out for me at the moment so mail's
> going to have to live on the current box. Is there any danger in leaving
> mail services on a DMZ machine, and if so, what can I do to improve the
> security? The trusted network runs machines that have to use POP3 to get
> mail into their local hard drives. I'm just a little concerned about
> having a POP3 server and an smtp entry point sitting outside the trusted
> network, even though it's still connected behind the firewall.

Your firewall machine should ideally do nothing but routing/firewall, have
no services installed that could conceivably respond to requests for
network connections in any way. If it was compromised, the cracker could
then alter the routing/firewall and you would lose all the protection you
gained.

You really need another server on the trusted network to handle things
like your mail services, keep that separate from services to the outside.
If you literally have no choice but to put mail, and as mentioned later,
smb services on the same host as your ftp/http to the world, then you lose
most of the protection you would get from setting up the DMZ.

I would re-think the options, and keep in mind that if its a small
internal network, you very likely can use an older machine for services to
your internal network.

>
> One aspect of the current web server setup is that I have to connect to
> it via samba to transfer website files from a WindoZe machine, whch is
> the web authoring box. At the moment, the samba security is set so that
> (of course) it uses encrypted passwords, is limited to only one possible
> user, and only allows a connection from one IP address on the trusted
> network (the WindoZe box). I'm fairly sure this is good enough for the
> setup as it is now, but is this still good enough for when samba is
> sitting out on the DMZ machine? I think it is, but I'm no expert. Would
> it be of any advantage to remove samba from the DMZ machine and make it
> so that I have to ftp the files over the the http docs directory
> instead? Same goes for the FTP server: at the moment I have a samba FTP
> share setup to place and retrieve files for the trusted network. Keep it
> as it is or make all communications via FTP?

I would use ssh instead of ftp.

>
> There are some services that are needed by all of the machines on the
> network, wherever they are: the current internet box is also an rsync
> and ntp server. In the new topology, where is it best to place the rsync
> and ntp servers, assuming there's a risk involved about "don't care"?
> All of the LINUX boxes need to rsync to the one reference machine, so
> where do I put that? On the DMZ machine or on the firewall machine?

Again, definitely not on the firewall machine, and these shouldn't be on
the DMZ machine either. The whole idea is to have the externally-visible
server completely separated from your internal data and machines.

>
> Likewise, all machines need to set their clocks to the one reference
> machine, so does ntpd live in the DMZ or in the firewall machine, or
> does it simply not matter?
>
> Finally, the matter of a DNS server, which is only used to point the
> outside world to the website the DMZ hosts. Where should that live - DMZ
> or firewall? DHCP server? It's only used for allocating addresses on the
> trusted network.
>
> As I said, I'm no expert, but I know enough to not just casually assume
> that 2+2 = 4 when it comes to networking and security.

Again, better on the server than the firewall machine. You'll want to
research your options for DNS server software. The default BIND has
historically had many security problems, although it may tightened up now,
I haven't needed to keep up with all the latest.

It sounds like you're trying to be careful, and that's good. I assume you
have read at least the security Howto's from the LDP?

I've scanned the howto and there's certainly a lot to absorb.

OK, I won't put a mail service on the DMZ machine. I *do* however need
to be able to send emails from the DMZ machine as the website needs to
send out emails from its php engine via SMTP, so I'll install qmail on
that, set it up so that it will only accept mail commands from one
source (itself), and modify the php code to use whatever command syntax
qmail requires if any - I haven't played with qmail yet but it looks
like I'm going to :)

I assume it's still safe to host DNS on the DMZ machine? After all, it's
only going to be used to point to the website on the DMZ machine itself,
so shouldn't that be all right?

I'll find a cheap server to host a mail service for the trusted network.

The only things I really need to sort right away are the DHCP, ntp, and
rscync servers. Now since I currently have shorewall blocking all
connections to these from the outside, is it still acceptable to put
these on the firewall machine so that the trused network can get access
to them? This maintains what you say, that the firewall shouldn't
respond to any requests to these servers from the outside.

On Tue, 13 Sep 2005 11:53:07 +1000, wrote:

> I've scanned the howto and there's certainly a lot to absorb.
>
> OK, I won't put a mail service on the DMZ machine. I *do* however need
> to be able to send emails from the DMZ machine as the website needs to
> send out emails from its php engine via SMTP, so I'll install qmail on
> that, set it up so that it will only accept mail commands from one
> source (itself), and modify the php code to use whatever command syntax
> qmail requires if any - I haven't played with qmail yet but it looks
> like I'm going to :)

Of course, if it needs to send mail out, then it needs something like that.

>
> I assume it's still safe to host DNS on the DMZ machine? After all, it's
> only going to be used to point to the website on the DMZ machine itself,
> so shouldn't that be all right?

Makes sense to combine these. Every function added to the machine is one
more point where something could go wrong, but you have to draw the line
somewhere :)

>
> I'll find a cheap server to host a mail service for the trusted network.
>

Good.

> The only things I really need to sort right away are the DHCP, ntp, and
> rscync servers. Now since I currently have shorewall blocking all
> connections to these from the outside, is it still acceptable to put
> these on the firewall machine so that the trused network can get access
> to them? This maintains what you say, that the firewall shouldn't
> respond to any requests to these servers from the outside.

I wouldn't unless there is absolutely no choice in your situation. Much
better to have them on the same server with the mail, and leave the
firewall to do just one job.

In short, ideally you would have firewall/router doing only that, server
in the DMZ only doing the things it HAS to do, one or more servers on the
trusted network to supply internal machines with their needs. In a
business, often (always?) a breach of the internal LAN would do much more
damage than the cost of another server machine, so you will most likely be
happier in the end.

Another note, even though you didn't ask :)

I haven't used shorewall, preferring to "roll my own" ruleset. It may do
an adequate or even an excellent job, but you should look at it long
enough to understand the rules it provides, and make sure it does what you
want it to. I have looked at the results from several packages that build
rules for you, and none of them have been anywhere near as paranoid as the
rules I use for my home system. Paranoia is a good thing...

In that case I'll just have to leave the rsync/ntp/dhcp services on the
firewall machine for now, so at least the LAN can get to them, and I'll
shortly build up a new machine, which was going to be just a file server
for the LAN, but can now host these services (plus mail)as well. When I
get the file server built up, I'll just wipe them off the firewall and
it'll just be doing the one job then.

My power company's gonna love me...

Separate every service you want to provide to the outside world from the
firewall - really.

www.ipcop.org

Set that up (it supports a DMZ, and VPN tunnels, and lots more) and
forget about it...