Our candidate DP customer is asking us for use the same DP appliance in more than one network trust zone (DMZ + Internal Network –LAN-).
Originally, the client use case for DP was related to expose/virtualize web services to the external world in the DMZ, managing security and message routing based on message content.
Now, he wants use DP for another set of web services running in the client internal network (not the DMZ).
Could it be possible? Is this approach supported in terms of network security, guaranteeing both network zones separation?
Thanks in advance,
Pinned topic DP Ethernet ports for different network trust zones
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-04-04T20:15:47Z at 2013-04-04T20:15:47Z by SystemAdmin
Re: DP Ethernet ports for different network trust zones2013-04-04T14:04:54ZThis is the accepted answer. This is the accepted answer.Javier,
There's nothing inside the box to physically separate the two streams, other than separate NICs. Nothing that guarantees that traffic from one zone cannot get to the other.
Most shops I've worked with assume that any device in the DMZ is compromised, and do not allow TrustedZone->DMZ->TrustedZone traffic.
But some shops do. Especially if that traffic is "low value" if compromised.
Re: DP Ethernet ports for different network trust zones2013-04-04T14:23:49ZThis is the accepted answer. This is the accepted answer.
- kenhygh 120000PD1B
One more question to close my response with the customer. Now they have a couple of servers in the DMZ having one NIC for external requests and other NIC for internal requests. Both NICs are managed by firewall rules.
Is the current customer scenario (in terms of security) the same one that you mentioned having one DP box for the both kind of requests?
Re: DP Ethernet ports for different network trust zones2013-04-04T16:18:54ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
let's say you have a setup like the following:
internetClient <-> firewall_1 <-> DMZ server <-> firewall_2 <-> trusted zone
where the 'DMZ Server' (datapower or anything else) has a nic connected to firewall_1 and a separate nic connected to firewall_2.
If somehow 'DMZ Server is compromised, unless there's physical partitioning of network packets, someone from outside firewall_1 could conceivably see traffic that travels from trusted zone to DMZ Server to trusted zone.
The firewall rules will necessarily allow traffic from internetClient to DMZ server, and necessarily allow traffic from DMZ server to trusted zone. If a programmer/configurer on 'DMZ server' (again, whether DataPower or anything else) makes an error, there's nothing to stop traffic from flowing from internetClient all the way to any trusted zone server available to DMZ Server. Whether that trusted zone server was supposed to only be available from a trusted zone client or not.
That explanation may be a tad confusing, but this isn't a trivial scenario.
Re: DP Ethernet ports for different network trust zones2013-04-04T17:23:43ZThis is the accepted answer. This is the accepted answer.
- kenhygh 120000PD1B
You are correct about our customer scenario and I understand your explanation.
But when you mentioned “unless there's physical partitioning of network packets”, are you referring to have different VLANs configured?
Apologizes, as you suspect I’m not a networking guy.