Topic
  • 6 replies
  • Latest Post - ‏2013-04-04T20:15:47Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic DP Ethernet ports for different network trust zones

‏2013-04-04T13:36:33Z |
Hi,

Our candidate DP customer is asking us for use the same DP appliance in more than one network trust zone (DMZ + Internal Network –LAN-).
Originally, the client use case for DP was related to expose/virtualize web services to the external world in the DMZ, managing security and message routing based on message content.

Now, he wants use DP for another set of web services running in the client internal network (not the DMZ).

Could it be possible? Is this approach supported in terms of network security, guaranteeing both network zones separation?

Thanks in advance,
Javier
Updated on 2013-04-04T20:15:47Z at 2013-04-04T20:15:47Z by SystemAdmin
  • kenhygh
    kenhygh
    1607 Posts

    Re: DP Ethernet ports for different network trust zones

    ‏2013-04-04T14:04:54Z  
    Javier,
    There's nothing inside the box to physically separate the two streams, other than separate NICs. Nothing that guarantees that traffic from one zone cannot get to the other.

    Most shops I've worked with assume that any device in the DMZ is compromised, and do not allow TrustedZone->DMZ->TrustedZone traffic.

    But some shops do. Especially if that traffic is "low value" if compromised.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: DP Ethernet ports for different network trust zones

    ‏2013-04-04T14:23:49Z  
    • kenhygh
    • ‏2013-04-04T14:04:54Z
    Javier,
    There's nothing inside the box to physically separate the two streams, other than separate NICs. Nothing that guarantees that traffic from one zone cannot get to the other.

    Most shops I've worked with assume that any device in the DMZ is compromised, and do not allow TrustedZone->DMZ->TrustedZone traffic.

    But some shops do. Especially if that traffic is "low value" if compromised.

    Ken
    Thanks Ken.

    One more question to close my response with the customer. Now they have a couple of servers in the DMZ having one NIC for external requests and other NIC for internal requests. Both NICs are managed by firewall rules.

    Is the current customer scenario (in terms of security) the same one that you mentioned having one DP box for the both kind of requests?

    Thanks again
  • kenhygh
    kenhygh
    1607 Posts

    Re: DP Ethernet ports for different network trust zones

    ‏2013-04-04T16:18:54Z  
    Thanks Ken.

    One more question to close my response with the customer. Now they have a couple of servers in the DMZ having one NIC for external requests and other NIC for internal requests. Both NICs are managed by firewall rules.

    Is the current customer scenario (in terms of security) the same one that you mentioned having one DP box for the both kind of requests?

    Thanks again
    Javier,
    let's say you have a setup like the following:

    internetClient <-> firewall_1 <-> DMZ server <-> firewall_2 <-> trusted zone

    where the 'DMZ Server' (datapower or anything else) has a nic connected to firewall_1 and a separate nic connected to firewall_2.

    If somehow 'DMZ Server is compromised, unless there's physical partitioning of network packets, someone from outside firewall_1 could conceivably see traffic that travels from trusted zone to DMZ Server to trusted zone.

    The firewall rules will necessarily allow traffic from internetClient to DMZ server, and necessarily allow traffic from DMZ server to trusted zone. If a programmer/configurer on 'DMZ server' (again, whether DataPower or anything else) makes an error, there's nothing to stop traffic from flowing from internetClient all the way to any trusted zone server available to DMZ Server. Whether that trusted zone server was supposed to only be available from a trusted zone client or not.

    That explanation may be a tad confusing, but this isn't a trivial scenario.

    Ken
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: DP Ethernet ports for different network trust zones

    ‏2013-04-04T17:23:43Z  
    • kenhygh
    • ‏2013-04-04T16:18:54Z
    Javier,
    let's say you have a setup like the following:

    internetClient <-> firewall_1 <-> DMZ server <-> firewall_2 <-> trusted zone

    where the 'DMZ Server' (datapower or anything else) has a nic connected to firewall_1 and a separate nic connected to firewall_2.

    If somehow 'DMZ Server is compromised, unless there's physical partitioning of network packets, someone from outside firewall_1 could conceivably see traffic that travels from trusted zone to DMZ Server to trusted zone.

    The firewall rules will necessarily allow traffic from internetClient to DMZ server, and necessarily allow traffic from DMZ server to trusted zone. If a programmer/configurer on 'DMZ server' (again, whether DataPower or anything else) makes an error, there's nothing to stop traffic from flowing from internetClient all the way to any trusted zone server available to DMZ Server. Whether that trusted zone server was supposed to only be available from a trusted zone client or not.

    That explanation may be a tad confusing, but this isn't a trivial scenario.

    Ken
    Ken,
    You are correct about our customer scenario and I understand your explanation.

    But when you mentioned “unless there's physical partitioning of network packets”, are you referring to have different VLANs configured?

    Apologizes, as you suspect I’m not a networking guy.
    Thanks
  • kenhygh
    kenhygh
    1607 Posts

    Re: DP Ethernet ports for different network trust zones

    ‏2013-04-04T18:35:34Z  
    Ken,
    You are correct about our customer scenario and I understand your explanation.

    But when you mentioned “unless there's physical partitioning of network packets”, are you referring to have different VLANs configured?

    Apologizes, as you suspect I’m not a networking guy.
    Thanks
    Some network devices have hardware partitioning. This is not vlans.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: DP Ethernet ports for different network trust zones

    ‏2013-04-04T20:15:47Z  
    • kenhygh
    • ‏2013-04-04T18:35:34Z
    Some network devices have hardware partitioning. This is not vlans.
    Thanks Ken for your support. Thread closed.