Hi! I have recently implemented a 3 interface shorewall firewall in my web application. It was a breeze to setup thanks to Tom and the extensive documentation. I am using ProxyARP since it was easy to setup and preferred by Tom. So far there have not been any performance problems. I have 2 servers in the DMZ with public IP''s and which are win2k servers, one of them running the application server which opens a lot of software ports to the world besides 80,443 and 25. The application server needs to be communicating with a SQL 2000 DB constantly via ODBC which is in the LOC zone. Thanks to the various options available, I have managed to keep the accesses really tight in terms of terminal services etc. But, I was wondering if there was a inherent flaw in my Design by keeping the Application server in the DMZ, since if it gets compromised there is a direct connection from it to the LOC zone. Secondly, I am wondering if it would be better to use DNAT rather than direct connections between zones e.g. DNAT dmz loc:192.168.0.5:1433 tcp 6500 or ACCEPT dmz loc tcp 1433 The advantage with the former is that I can deny all incoming connections from DMZ to LOC zone and Only allow connections through the firewall. But would there be any performance considerations with the former. OR Is it in the best interest to put the application server from the DMZ to the LOC zone and use DNAT for all incoming requests on the firewall to go to the application server, but would performance be hindered by doing that. I have applied all the patches/fixes on the Windows boxes but am not sure about the application specific ports as the software is a third party''s. The firewall runs Redhat 9.0 and a custom compiled monolithic kernel 2.4.22 and shorewall 1.4.6c. Hardware is 512MB RAM on a P4 1.7Ghz Thanks in advance for any suggestions/comments Regards, Arjun
Hi! I have recently implemented a 3 interface shorewall firewall in my web application. It was a breeze to setup thanks to Tom and the extensive documentation. I am using ProxyARP since it was easy to setup and preferred by Tom. So far there have not been any performance problems. I have 2 servers in the DMZ with public IP''s and which are win2k servers, one of them running the application server which opens a lot of software ports to the world besides 80,443 and 25. The application server needs to be communicating with a SQL 2000 DB constantly via ODBC which is in the LOC zone. Thanks to the various options available, I have managed to keep the accesses really tight in terms of terminal services etc. But, I was wondering if there was a inherent flaw in my Design by keeping the Application server in the DMZ, since if it gets compromised there is a direct connection from it to the LOC zone. Secondly, I am wondering if it would be better to use DNAT rather than direct connections between zones e.g. DNAT dmz loc:192.168.0.5:1433 tcp 6500 or ACCEPT dmz loc tcp 1433 The advantage with the former is that I can deny all incoming connections from DMZ to LOC zone and Only allow connections through the firewall. But would there be any performance considerations with the former. OR Is it in the best interest to put the application server from the DMZ to the LOC zone and use DNAT for all incoming requests on the firewall to go to the application server, but would performance be hindered by doing that. I have applied all the patches/fixes on the Windows boxes but am not sure about the application specific ports as the software is a third party''s. The firewall runs Redhat 9.0 and a custom compiled monolithic kernel 2.4.22 and shorewall 1.4.6c. Hardware is 512MB RAM on a P4 1.7Ghz Thanks in advance for any suggestions/comments Regards, Arjun
On Sat, 2003-10-04 at 18:20, Arjun Kaul wrote:> > But, I was wondering if there was a inherent flaw in my Design by keeping > the Application server in the DMZ, since if it gets compromised there is a > direct connection from it to the LOC zone.If you need external access to the application server and the application server needs access to the SQL server then what choice do you have?> > Secondly, I am wondering if it would be better to use DNAT rather than > direct connections between zones e.g. > > DNAT dmz loc:192.168.0.5:1433 tcp 6500 > > or > > ACCEPT dmz loc tcp 1433 > > The advantage with the former is that I can deny all incoming connections > from DMZ to LOC zone and Only allow connections through the firewall. But > would there be any performance considerations with the former.Using DNAT in this situation is inherently no more secure than using ACCEPT rules. For a discussion of when to use ACCEPT and when to use DNAT, see faq 30. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net