Deploying Dual NIC Servers in the DMZ

Recently I was faced with the challenge of deploying a server in the DMZ (DeMilitarized Zone) with dual Network Interface Cards (NICs). My existing DMZ was designed for servers with a single NIC. The existing configuration would make deploying a server with dual NICs difficult. I knew I would have to redesign the DMZ from the ground up to support dual NIC systems. I started by doing some research into how other organizations were deploying servers with this type of  setup. During my research I came across this design from Sans.org. The article says you can use one or two firewalls with a strong recommendation to use two firewalls from different vendors. Two firewalls would be cost prohibitive, and that coupled with the fact that I only have one firewall made my choice clear. My design had to make use of a single firewall and be able to support servers with dual NICs. I started off by creating two DMZs on my ASA each with a different subnet and different levels of trust. Once I created both of the DMZs  I needed to test it with a server. Testing this configuration was easier than I first thought. I placed one NIC from the server in DMZ1 and the other NIC in DMZ2. The next thing I had to test was firewall rules for the two DMZs. During the creation of the firewall rules for the first server I realized this design allowed me to keep my firewall rules really strict. Strict firewall rules are what you want in your DMZ. After all, this is a security barrier between the internet and internal network. Below I have diagramed my design and also included my Cisco ASA config.

.

Configuration for devices in Diagram

   

 ASA config

interface GigabitEthernet0/0

description Outside

nameif Outside

Ip address <public ip address>

security-level 0

Interface GigabitEthernet0/1

description Inside

Nameif inside

Ip address 10.0.0.xxx 255.255.255.0

security-level 100

interface GigabitEthernet0/2

description DMZ1

nameif DMZ1

Ip address 192.168.1.1 255.255.255.0

security-level 30

interface GigabitEthernet0/3

description DMZ2

nameif DMZ2

Ip address 192.168.2.1 255.255.255.0

security-level 40

access-group Outside_IN in interface Outside

access-list  Outside_IN remark ***Allow https traffic to webserver***

access-list  Outside_IN extended permit tcp any4 host 192.168.1.xxx eq 443

access-list  Outside_IN extended deny ip any any

!!!  I am blocking all traffic from this zone because the return traffic from the internet will be

!!!  allowed by default. (UDP traffic from the DMZ server will need egress rules)

access-group DMZ1_IN in interface DMZ1

access-list DMZ1_IN  remark ***DENY all traffic from dmz1**

access-list DMZ1_IN  extended deny ip any any

access-group DMZ2_IN in interface DMZ2

access-list DMZ2_IN  remark ***Allow the webserver to connect to internal server**

access-list DMZ2_IN extended permit tcp host 192.168.2.xxx host 10.0.0.xxx eq <port number>

access-list DMZ2_IN  extended deny ip any any

*Notes: I don’t need to allow return traffic from DMZ1 to the internet. The stateful firewall allows this by default. The other thing to note is I don’t have any ACLs configured on the inside interface because I want traffic to flow from the inside to any less secure zones.

Server Config

     Nic 1 config

           IP: 192.168.1.xxx

           Mask: 255.255.255.0

           GW: 192.168.1.1

     Nic 2 Config

           IP: 192.168.2.xxx

           Mask: 255.255.255.0

           GW: <not set>

     Static Route

       windows: route add 10.0.0.xxx mask 255.255.255.0 192.168.2.1 -p

       Linux:    ip route add 10.0.0.xxx/24 via 192.168.2.1 dev <nic2> [Not persistent]

**NOTE: Please see the documentation for your linux distro to make route persistent**

I designed this DMZ with some clear rules in mind. Internet users would access the server through DMZ1 and internal resources would be accessible to DMZ servers from DMZ2. DMZ1 is blocked from internal access and DMZ2 is blocked from internet access. I have tested this configuration with a couple of servers (Cisco expressway-e and Microsoft Lync edge servers to name a few) and everything worked without any issues. This configuration does require the use of static routes on servers in the DMZ. This configuration also makes it easy to lock down the firewall rules. Let me know what you think.