Routing

Hi,

I have a server with two NICs that are both connected in a different zone on our SSG firewall. The first zone is our trusted back-end, the second zone is our DMZ front-end. This system is connected on a Windows domain and also serves a public website. The server can only have one gateway as per Microsoft advice. This gateway is assigned to the trusted NIC.

The issue we have is that when we try to reach the server from the internet it fails to connect. When I ping it, I see ICMP request coming in, but they are not returned. When I switch the gateway to the untrusted network, the ICMP requests are returned correctly on the internet, but at that moment all local internet traffic from the server goes out over the untrusted gateway, which is not allow and should be routed via the trusted side.

How to solve this?

Please review the schema attached to this post. We prefer to use the trusted network as gateway. Trusted or front end is green, backend or untrusted dmz is red.

Set the Windows 0/0 route pointing to the DMZ front-end.

Set persistant static routes on Windows that point internal networks back towards the trust.

My suggestion would be to get rid of the two NIC design and use the SRX to enforce security and IP services such as NAT.  A good example would be to create a network for the web server and place it in a DMZ-WEB zone then create policies for management (from trust to DMZ-WEB) and then create NAT policies between untrust and DMZ-WEB.

I have tried it with one NIC, but this is a pain to configure. Lets assume that the red network is DMZ and the green the management LAN. Active Directory is in the management LAN. This server serve content for the internet as main goal so it should be in the DMZ, but it should also be able to authenticate users in Active Directory to authenticate on the secure website. Also we don't want internet traffic going out over the DMZ connection. It should go via the trusted side, but how do you configure this, as internet traffic is not defined as a network.

It isn't a pain to configure at all.  All of the policy is contained and controlled on the SRX.  You just need to have a L2 switch between the host and SRX that speaks 802.1q so that you can scale the solution beyond one host.

If you require two NICs per host - one for management - another for the DMZ - you're putting all the routing policy and control in a Windows server.  In my opinion this is much more of a pain to manage and scale.

Using a single NIC you can break out the policies to what makes sense for you.  For example assuming the Windows server is in the WEB-DMZ zone:

from-zone trust to-zone WEB-DMZ

    allow all

from-zone untrust to-zone WEB-DMZ

    allow [ http https ]

from-zone WEB-DMZ to-zone trust

    allow [ ping dns etc etc etc ]

This is really a question about how windows server multiple nic networking operates.

Since this is a public access web server you will have to make some firewall changes for the server to work at all if the default gateway is set to your trust network.  The way windows works is that there can only be one default gateway assigned to one of the server nics.  This is where all traffic will be sent destined to any ip address that is not directly on the subnet of another NIC or manually created with the route command.

So what happens is that your firewall forwards the public ip traffic to your web server but the server on the DMZ nic.  But your server then responds out the trust NIC.  This response then gets NAT on the firewall trust to untrust zone and appears back to your requester as coming from a completely differerent address and port.

If you want to stick with this setup, you will need to source NAT the inbound web server traffic to the same subnet as the DMZ zone so that the windows server will respond out the same interface.

The simpler solution is the first one Doug suggested.  Put the default route on the DMZ and create any additional static routes you need out the trust nic for additional segments.  This allows you to have the two direct connections with the minimum of external configuration.

Yes, setting up a fully protected and segmented DMZ is more difficult.  But there are really good reasons to not have a direct NIC to the trust zone from a DMZ server at all and control the access needed with policies.

• Should the web server become compromied the hacker will not have full access to the trust zone but only the limited ports opened for server to server communications
• You can create a rule set that only allows the server to initiate communication on the needed ports to other servers but not the rest of your network.
• Your computer to DMZ rules will only allow computers to use the web site services but not allow hackers to enter the trust network from the DMZ
• Your mgmt to DMZ rules only allow traffic in this direction and do not provide access ports for hackers on compromised servers

As a matter of policy, all of the companies I have worked at in the last 10 years do not allow web browsing from server platforms as a security precaution.  Especially in today's current environment of drive by web compromises we are better safe than sorry.  So all web browsing and reseach is done on workstations with downloaded files transfered to the server of implementation.  The only direct web access is for windows updates or direct copy links for installed programs if the downloads are really large.

Hello,

Thank you for your help. You have both convinced me to skip using the dual NIC setup. I will go for the DMZ / Trust zone solution. Windows is not the right platform to do routing, especially not when we have a device dedicated to do this, our juniper firewalls.

Thanks again!