Router and DMZ Best Practices

An Institute for Applied Network Security member recently e-mailed and asked me:
What are the best practices for securing your Internet router and also securing your servers on a DMZ?
These are my suggestions:
  1. Lock down administration of the router so that you can only administer it via SSH, and only from inside network.
  2. Know what your servers do.
  3. Based on #2, limit what kinds of packets can come from the Internet to your DMZ-based servers. E.g., e-mail servers should only receive e-mail-related packets (SMTP, TLS perhaps, POP3 if you allow retrievals from the Internet, etc.), web servers, web traffic (HTTP, SSL, TLS, etc.).
  4. Limit what kinds of packets can come from the DMZ-based servers to the Internet. It’s a web server… it should not originate SMTP. It should not originate anything to the Internet. It should not have any TELNET packets coming out of it to the Internet, etc.
  5. Configure your firewall to likewise be unforgiving about what comes out of the servers on the DMZ destined for the inside network.
Also, see my January 4, 2002 column Basic IP Router Security.

No comments: