How to create a DMZ for web server?

Hello,
What are the practical steps needed to place a web server in a DMZ? Currently our web servers are using SNAT with the ports forwarded which I do not think is very safe.
Thanks

Comments

  • edited July 2020

    A DMZ is just a separation from your trusted LAN.
    Set up an Optional interface and move your server there - it will be a DMZ.
    You will still need SNATs to allow access to the server from the Internet, wherever it is.
    Why do you fell that the SNAT access is not secure?

    Best practice for a DMZ is that devices on trusted can access devices in a DMZ but devices in a DMZ can't access devices devices on trusted. While this often can not be fully implemented, it is best to limit as much as possible the DMZ to Trusted access.

  • Is there any reference or tutorial for the specific rules to do this?

  • The rules/policies are likely unique to each site - those which need to allow access from a specific DMZ device to resources on a trusted interface.

    By default, devices on one routed interface can't be accessed from a different routed interface without a policy allowing it.

    Define the DMZ interface as Optional or perhaps Custom.

    See the "Interface Types" section, here:
    About Network Modes and Interfaces
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/net_setup_about_c.html

    Configure a Custom Interface
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/interface_custom_c.html

    Configure Static NAT (SNAT)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_static_config_about_c.html?Highlight=snat

    Here is an example using WSM Policy Manager. Currently there are no similar examples using the Web UI.
    Set Up a Public Web Server Behind a Firebox — Configuration Example
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/configuration_examples/snat_web_server_config_example.html

  • Thanks, got it.
    I previously had a shared SMB file between my local main windows machine and a Linux public web server, so i could easily trade and backup files.
    I would just mount the remote SMB file on windows on the Linux machine.
    Now I have them on separated network segments, the Linux web server on a DMZ (optional) port segment.
    I still want to be able to share files - for example to put some previous server backed up files from my windows host to the DMZ Linux server - is there any typical or recommended way to setup such a shared resource?
    One option would be to enable both to access some cloud files - but i haven't yet explored how to do that on Linux (yet), so wondered if there was an easy (safe) way to do something similar locally.

  • A SMB transfer from a device on Trusted to a device on optional does not violate the best practice concept for a DMZ.

    The default Outgoing policy would allow this.

    If the Outgoing policy has been disabled/removed, add a SMB packet filter From: Any-trusted or the IP addr(s) of devices which should be able to do transfers To: the IP addr of the DMZ device.

  • Many thanks, will try it!

  • Hmm,
    the way it worked was that on Windows I just share the folder; no network action needed, just permissions. Then on Linux I do a remote mount. So it would seem like the Linux (DMZ) mount would have to initiate a connection to the windows (trusted) machine?

  • Share a folder on the Linux machine, mount it on your Windows PC, and copy something to the shared folder from your Windows PC.

  • VERY related question:
    We have a PC in the DMZ (SNATed from outside).
    INTERNALLY, we have a policy that allows ONLY two PC's to talk and only one one port. DMZPC --> InternalPC (Trusted) : SpecificPort.
    This works well.
    HOWEVER - the DMZ PC also has a 2nd NIC. That is ON our internal (Trusted) network. Basically, so we can administer the PC from internally. Is this a huge hole in security with internal NIC on "OfficeNetworkIP's" and the NIC which is the SNATed NIC (own IP block) from outside?

    ie: Is it easy to hack from "external NIC" to "Internal NIC" on the same DMZ PC? Or am I breaking the DMZ?

  • Note: We would ONLY RDP from internal to the DMZ PC. So, maybe we simply create a 2nd policy that allows Trusted --> DMZ PC : RDP port (whatever that port is)?

  • You are breaking the DMZ since there is a 2nd path to the DMZ which does not go through the firewall.

    Best to not have the 2nd NIC connected and add a policy to allow access to the DMZ via the firewall, as in your proposal.

Sign In to comment.