Mailserver / Webserver in DMZ or not?

General questions.
houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 22nd, 2015, 10:32 pm

Hi... My basic firewall /IPS setup is allmost complete. I'm using the full color range (red/green/blue/orange)

Now I'm focussing on the DMZ section, but I have some questions. I've been reading a lot online, and most people still choose to put their mail & webserver in the DMZ. We use Kerio Connect on linux as our mailserver , our webserver is also linux based.

I understand the reason for putting both servers in a DMZ, but in our case, we have a windows domain, and users on the mailserver are connected to this domain. When I now move this server to the DMZ, the orange network has no direct connection to the green network, where our domain controllers are located. I know you can start opening pinholes to let the mailserver connect, but if I start opening ports, doesn't that just defeat the purpose of putting the server in a closed of section? If a hacker get's access to the server, he has open ports to connect to my green network?

Or am I missing something?

Kind regards
Image

User avatar
Roberto Peña
Posts: 573
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Mailserver / Webserver in DMZ or not?

Post by Roberto Peña » January 23rd, 2015, 12:01 pm

Hello.

From what I know, if you have a computer with a vulnerability within the LAN and Hacker exploits this vulnerability, will have access to all devices on the LAN, since it has taken control of the affected system. However, if the computer has a vulnerability is in a DMZ (for example), but between the Hacker, will only access the LAN ports so that they are enabled. But note that if you allow access to the LAN to the DMZ, communication will be unidirectional. So, LAN ---> DMZ, no Backwards Mum.

In my view, if a computer is accessible from the outside, in the DMZ without thinking.

Sorry for my English, is Google Translator.
Image
Image

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 24th, 2015, 9:44 pm

My webserver is now located in the DMZ, the portforwarding is done, now I only need to move the mailserver....

The only thing that is very different from a basic household router, is that on a simple router a DMZ is a single ip address, that is fully exposed to the internet. In IPFire, the DMZ is a seperate network BEHIND the firewall. The firewall is the first line of defense, if one of the servers gets compromised, a second firewall is there to block them..

This major difference in DMZ "understandings" is why I had so much trouble in understanding the need for a DMZ :)
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 12:47 pm

houseofdreams wrote:My webserver is now located in the DMZ, the portforwarding is done, now I only need to move In IPFire, the DMZ is a seperate network BEHIND the firewall. The firewall is the first line of defense, if one of the servers gets compromised, a second firewall is there to block them..

This major difference in DMZ "understandings" is why I had so much trouble in understanding the need for a DMZ :)

As far as I know I can't aggree with that. Orange is in front of the firewall not behind it, so no firewall rules effect this network. That's why it's called a demilitarized zone.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 12:49 pm

aesis wrote:
houseofdreams wrote:My webserver is now located in the DMZ, the portforwarding is done, now I only need to move In IPFire, the DMZ is a seperate network BEHIND the firewall. The firewall is the first line of defense, if one of the servers gets compromised, a second firewall is there to block them..

This major difference in DMZ "understandings" is why I had so much trouble in understanding the need for a DMZ :)

As far as I know I can't aggree with that. Orange is in front of the firewall not behind it, so no firewall rules effect this network. That's why it's called a demilitarized zone.


When I do a portscan with the portforwarding 21 to the webserver enabled, it gives the following info

Code: Select all

No connection could be made because the target machine actively refused it xx.xx.xx.xx:21 


When I remove the portforwaring, it gives the info

Code: Select all

Timeout


The xx.xx.xx.xx is my outside world IP, the "error" it gives is because my FTP server isn't completely setup yet... If portforwarding does not make a difference, why do these 2 results differ? (I used MXToolbox port scan)

I do have a basic iptables firewall in place on the webserver that only accepts 21, 22 and 80 for now, all the rest gets dropped...
Last edited by houseofdreams on January 25th, 2015, 1:04 pm, edited 3 times in total.
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 12:53 pm

houseofdreams wrote:Ok, why does a port scan than shows port 21 closed when remove the portforwarding to the webserver? I will doublecheck to confirm this, but I saw this yesterday...

Because port forwarding as a routing function has nothing to do with any firewall functions or rules.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 12:57 pm

I was changing my former post when you replied, please check that post again for my reaction :-)
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 1:09 pm

houseofdreams wrote:When I remove the portforwaring, it gives the info

Code: Select all

No connection could be made because the target machine actively refused it xx.xx.xx.xx:21


The xx.xx.xx.xx is my outside world IP, the "error" it gives is because my FTP server isn't completely setup yet... If portforwarding does not make a difference, why do these 2 results differ? (I used MXToolbox port scan)

I do have a basic iptables firewall in place on the webserver that only accepts 21, 22 and 80 for now, all the rest gets dropped...

Port forwarding has nothing to do with the firewall. As the name DMZ says.

If you create a port forwarding to a single maschine with a service running/listening on this port you only tell ipfire how to react on requests from the internet to that specific port. If it does not know what to do with the request (no port forward defined) it just drops that request (it doesn't know the target but needs to know it, otherwise you will get in trouble if you have several services listening on this port in your lan, or ipfire doesn't listen on that port itself) but if it knows the target maschine (ip) it just forwards that request to the specified maschine.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 1:11 pm

aesis wrote:
houseofdreams wrote:When I remove the portforwaring, it gives the info

Code: Select all

No connection could be made because the target machine actively refused it xx.xx.xx.xx:21


The xx.xx.xx.xx is my outside world IP, the "error" it gives is because my FTP server isn't completely setup yet... If portforwarding does not make a difference, why do these 2 results differ? (I used MXToolbox port scan)

I do have a basic iptables firewall in place on the webserver that only accepts 21, 22 and 80 for now, all the rest gets dropped...

Port forwarding has nothing to do with the firewall. As the name DMZ says.

If you create a port forwarding to a single maschine with a service running/listening on this port you only tell ipfire how to react on requests from the internet to that specific port. If it does not know what to do with the request (no port forward defined) it just drops that request (it doesn't know the target but needs to know it, otherwise you will get in trouble if you have several services listening on this port in your lan, or ipfire doesn't listen on that port itself) but if it knows the target maschine (ip) it just forwards that request to the specified maschine.


Ah ok... Learned something new today than :) thanks
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 1:23 pm

Missing routes to your LAN(s) will always cause a drop of packages from the internet.

The DMZ makes sense. The firewall is usually used to restrict the access of clients in your LAN(s) to the internet because people are working on it and might be a security risk (because of their insecure actions in the internet). A server is usually not used as a working maschine of a human and just runs the services it's supposed to run.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 1:44 pm

Mmm.. I disabled the portforwarding rule port 80 to my webserver running in the DMZ. If I follow your reasoning, the webserver in the DMZ i fully accessible from the internet, so why can I don't connect to the webserver anymore when this portforwarding is disabled?

I tested this with the website http://www.downforeveryoneorjustme.com/ . It says explicitly that my website is down, when no ports are forwarded...

Any ideas?
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 2:16 pm

houseofdreams wrote:Mmm.. I disabled the portforwarding rule port 80 to my webserver running in the DMZ. If I follow your reasoning, the webserver in the DMZ i fully accessible from the internet, so why can I don't connect to the webserver anymore when this portforwarding is disabled?

I tested this with the website http://www.downforeveryoneorjustme.com/ . It says explicitly that my website is down, when no ports are forwarded...

Any ideas?


I'm sorry but you still don't understand. Actually it seem's like my english i too bad to explain it to you so you may realize the difference. Maybe someone else might explain the difference in a better way.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 2:35 pm

I've made some visio's

The first one is a very simplistic way of how my network is setup.

DMZ.jpg
DMZ.jpg (17.04 KiB) Viewed 3264 times


You say that the webserve in the DMZ, has unrestricted access from the internet, so it bypasses the IPFire firewall completely, that's what I understand from your explanation, and that's how it used to work in my simple D-Link router before, so I get that point.

But.. I have the following rule enabled in my firewall

rule.jpg
rule.jpg (15.32 KiB) Viewed 3264 times


Nothing special, just a portforward from "any" to the orange DMZ zone's webserver IP address. If I disable this rule, my webserver isn't accessible anymore from the internet. If what you say is true (or what I understand from it) enabling or disabling this rule should not make any difference, as you say the webserver isn't behind the firewall...

Maybe a third person should shed some light in this situation yes :) I'm not saying your wrong, I just run basis test to get to my conclusion... I hope someone clears this out :)
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 2:40 pm

houseofdreams wrote:I've made some visio's
You say that the webserve in the DMZ, has unrestricted access from the internet,


No! Not from, but to the Internet.
houseofdreams wrote:so it bypasses the IPFire firewall completely, that's what I understand from your explanation, and that's how it used to work in my simple D-Link router before, so I get that point.


And that's not right. It just worked on your D-Link maschine because you could use only a single maschine in your DMZ. It seems like your D-Link maschine forwarded every request from the Internet to that single maschine in the DMZ.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 2:54 pm

I've searched on a website of a similar software based firewall (not going to name it here of course on the IPFire forum :) )

The setup is "identical" to my visio aboven the only difference is that I haven't added a switch in the DMZ network...

image1.png
image1.png (12.4 KiB) Viewed 3247 times


I'm now copy /pasting the text that is next to this image on the website:

Given the instructions from the previous article, you should have a full installation of xxxxx running. The current focus remains two-fold: to get your server in the Orange (DMZ) segment of your xxxx Network and opening up the ports on your firewall to allow web traffic to it.

Notice the text in bold... That's what I'm trying to say? So why does a tutorial on another similar firewall solution says the same as me?

Again, I can be wrong, I'm absolutely no expert, but I'm a logical person...
Image

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests