During assessment reviews, one of the common architectural design flaws I still see quite a lot of is no network DMZ. The Titanic had 16 watertight compartments and it still sunk. We wouldn’t even think of having something as important as a large cruise ship today with a single compartment and yet I run into corporate networks that do exactly that, corporate networks with one security zone. Whether it is a port redirect based NAT (VIP in Juniper Networks terms) or a one to one address NAT (MIP in Juniper Networks terms), the effect is the same. Either a single public port or single public address is allowed to a single target server in the internal network. At first glance, this seems innocent, after all, access is only being explicitly given to a single resource, what can be the harm in that? The problem is that a flow has been allowed from the Untrust (Internet) into the Trust (internal) network. If that server can be breached through a vulnerability, brute force password or just misconfiguration, then it can be used as a beachhead to attack and gain access to other systems in the network. This is referred to as a leapfrog attack. Access is somehow obtained to an accessible system that is then used to leapfrog to other systems not externally accessible, but accessible from the breached system. Since this system is in the internal network and there is no firewall separating it from other devices in the internal network, it can do this relatively unhindered except for whatever endpoint protection may be in place on every single system in the entire network. Telnet, RDP, http, ssh and other methods can be used to access other internal systems.
Now lets take a look at a better design using a DMZ (literally a demilitarized zone). In this case we place exposed public assets in a separate security zone from the internal network. Consider anything in the DMZ a sacrificial system. We then strictly control access with the following session flows:
Allow Untrust (Internet) to DMZ
Allow Trust (internal network) to Untrust (Internet)
Possibly allow Trust to DMZ (optional restrictions)
Now we are protected from breached servers in the DMZ. While leapfrog attacks can be used in a zone, it cannot be used to cross zones where access is denied. This is a fundamental benefit of compartmentalizing access with security zones and policies.
With zone based firewalls and multiple ports, this is a very easy and highly recommended design change. I recommend multiple DMZs and additional segmentation of networks amongst users and servers. The key concept is containment. Limit the exposure of the risk from a cyber threat that enters your network by maximizing segmentation and zoning. Even the smallest Palo Alto Networks firewall (PA-500) has 8 ports on it. When combined with threat inspection for detecting viruses, spyware and other malware, this becomes a very powerful security gateway.