The best security setup are the simplest one that you can look at your
pf configuration and understand very well each lines as well as any
other admin that may need to play with it. That's how you avoid mistakes.
I am not a fan of multiple DMZ by any mean, specially when traffic needs
to go across these different DMZ, every time someone does that, over
time, you end up having holes in it as it's getting complicated and
sometime an admin will take a shortcut because of an issue that crap up
one day, fix dirty and quickly and never go back to look at it and then
your DMZ end up in swiss cheese before you know it.
My own preferred setup is your firewall at the edge of your network
facing the Internet obviously, one DMZ and the LAN.
Then each servers that run services in the DMZ, in my case anyway there
is only one service per servers and that server run OpenBSD and PF on
each one. Couldn't be simpler and when it is time to upgrade to the next
release, that's pretty quick as well as there isn't any excuse of, (well
guys, you don't understand, I can't upgrade, I need to still run 3.5
because of this or that reason and my setup is to complicated, etc).
Then you are always at the latest release, you follow the release and
keep all your servers up to date and because it's one service per
server, it's pretty quick and painless to upgrades, etc.
Then each server as I said run PF, but also in every setup, don't only
block incoming traffic, do it right and block the outgoing one as well.
Again, many will say, it's to complicated to do, so they don't do it,
but I would say that if that's to complicated to understand, then you
have no clue what you are doing and sure don't understand your traffic
and have no security policy either in that case.
Just a simple example to illustrate this. You wrote that you have web
server. I don't know, may be you also run php on it. Let said you have
an intern that is in charge for the summer of the web server php
upgrades. Let say that he doesn't really write good code, but it does
work, so everyone is happy, but there is plenty of holes created by not
checking the value pass to the various scripts.
Then you have a bad guys going and trying to compromise your network via
php simple injection of codes, via one not check variable on your php
code and that obviously run the scripts and what that does called a URL
on an other server on the net, the inject that on your box and then you
end up compromise. So, what all your setup was used for. Nothing and
didn't protect you much.
But if your PF configuration on your web server only allow traffic
coming from port 80 and going to others > 1023 as an example and
actually block any traffic coming from you to any other device on port
80, then you have block that compromise and you can see it in your logs.
You know your server only allow incoming on 80 and reply to these ( dns
as well, etc, put you use your own server as well, so you secure that
already the same way), then you make your setup secure and with proper
setup and very simple to maintain as well.
The best security setup is to know what is suppose to come in and also
what is suppose to go out and you allow only these.
Now if you do simple setup with one service per box and on top of your
mail firewall, you have PF on that box and every other DMZ servers, your
are going to have very peaceful nights and plenty of sleep!
Hope this help, but if you sit back and just think about it, you will
see that you don't need to read for days on to find the best setup, or
what works for you.
Instead of studying all the documents on the Internet about security
setup, study your network about what it does needs and what traffic is
suppose to be on it and make it so. You will learn a lots doing so and
even that as a side effect, if you also block outgoing traffic and you
log all connections trying to go to port 25 that is not your own
servers, you will find all your Windows compromise workstations as well
in the process, very quickly, etc. Or all the visitor to your network
with their laptops that bring with them virus, etc and don't even know it.
Checking incoming traffic logs is important yes, but other then blocking
access to these bad guys, there isn't much you can do.
However, blocking outgoing traffic and also checking these logs are way
more important and then you are pro active in your security and will fix
issues way before they create damage on your LAN.
My setup send emails to the support team when these happen, so I tell
you that is doesn't take long before a visitor plug his/here laptop on
the LAN with virus before it gets detected and then get his/here head
beat up for not be responsible and the issue is taken care of very quickly!
After a few months of doing so, it become so easy and a second nature
and then even your co worker start to makes jokes about visitor
compromise laptop and you don't even needs to say anything, they will do
it for you! (;> Because they know and learn.
After a while, it is contagious and everyone get educated in the process.
Hope this help you some.
Best,
Daniel
