2

I am trying to configure a DMZ using IPCop but it looks like the default configuration for a DMZ in IPCop is no DHCP and no access to Internet.

Even when I manually configure IPCop as my default gateway and DNS resolver, it seems that there is no NAT configured from the DMZ to Internet (only the other way).

I am wondering about the pros and cons of having Internet access inside the DMZ.

Pros

  • I can easily run updates on the DMZ systems and even schedule automatic patching for security updates
  • It will be much easier to install an Ubuntu system by downloading only necessary packages than install from a CDROM

Cons

  • If compromised, machine can be used as part of a DDoS attack

Apart from the single argument of "if someone compromise my machine, it can be used to compromise someone else on Internet", I see no reason not to give access to Internet on my DMZ machines.

Is this a bad idea?

Vincent Robert
  • 194
  • 3
  • 13
  • Thanks for the answers so far. I understand that it is a general rule to not let free Internet access on a DMZ host. Can someone explain some security risks in this? – Vincent Robert Oct 17 '11 at 21:08

3 Answers3

2

I'm not an IPCop user but the general security theory is to provide limited outbound access from your DMZ to whatever specific sites and services your DMZ systems need.

In my case - my DMZ hosts a couple Linux servers and a couple Windows boxes - I provide outbound HTTP/S access to a short list of approved sites.

These included the windows update sites, a mirror for my CentOS boxes and the update server for my Windows based AV products. I figured these sites are safe enough to leave in an always on configuration.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
2

It makes no sense at all to allow full unregulated access to the Internet from any machine in the DMZ, nor should it ever be required. You should be able to configure outbound access but you should do so only for what is required, such as the ports and destination addresses required for your updates. DHCP is not normally used in a DMZ, which is why it's not available.

It will be much easier to install an Ubuntu system by downloading only necessary packages than installer from a CDROM

The normal practice is to set up the machine on the internal network and move it to the DMZ when it's fully configured and ready to use.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
0

It's probably a bad idea, but it entirely depends on what's an acceptable risk to you and your company (is your first argument an acceptable risk?).

It also depends on what other security you have in place. I generally tend to lock the DMZ down (well most of my networks) to only give access where and when needed. Others don't subscribe to the same policy. For instance, in the DMZ at my last location, I had rules in place on my firewall, giving outbound access to Windows updates and would only enable the rules when updating the servers. Afterward, they'd get turned off.

GregD
  • 8,713
  • 1
  • 24
  • 36