Sunday, 8 September 2013

Secure DMZ Infrastructure Management

Secure DMZ Infrastructure Management is a paper from the Meta Group.  It's old, but covers a favourite topic, securing the DMZ.

The paper is here: 

Unfortunately it's not very useful.  It has all the right words in it, but why, for example is FTP considered a minor topic, whilst SNMP from the inside to the servers a risk?  What's going to happen?  A reverse attack on the SNMP management client might be a possibility.  I expect it's a reaction to this vulnerability announcement, which I remember caused a lot of heart ache at the time: http://www.kb.cert.org/vuls/id/107186


But the first proposed solution is to use a separate management network, with ideally a separate NIC in each server.

There's then Figure 5, which separates the management server into a separate secured network between two new firewalls.  Good news for firewall vendors.  I think this could help a little, if the server is only providing monitoring.  But if the management server can control the servers on the internal and external network this hasn't really helped at all.  The attack could proceed:
  1. DMZ server is compromised. 
  2. Attacker uses management LAN connectivity and launches an attack on the management server. 
  3. Management server has privileged control over servers on the internal network. 
  4. Owned. 
With Figure 6 we are now back to the terrifying.  There's a management server inside the DMZ, only with a tunnel(!) back to the internal network.  He writes: "This forwarding is carried over a secure tunnel (e.g., VPN, secure socket) that is allowed passage by the firewall. No separate management network is required, and complex routing issues do not exist."

So - there's perhaps a VPN between the DMZ and the internal central management server.  The attack is becoming easier.  Encryption doesn't make for security alone. 

Bottom line - don't base your network security on this one.  The internet would be safer without it.

There's some slightly better analysis of the SNMP problem here:
http://www.tavve.com/wp-content/uploads/2011/05/trapping-from-dmz.pdf


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)