Summary:
I've tested one home firewall appliance (that claims to offer "DMZ"
functionality) that doesn't offer the security that a (traditionally-
defined) DMZ should. In fact, using the feature results in less
security.
Scope:
This has been tested on an SMC Barricade (SMC7004ABR). Similar
products in SMC's product line are probably also affected, as well as
home firewall appliances made by other manufacturers.
Background:
As many of us know, hosts in a DMZ should *not* be able to initiate
connections to LAN hosts. The whole point of having a DMZ is to
prevent LAN hosts from also being compromised, should a DMZ host be
compromised (from having it's connected-to-from-the-internet services,
like web or ftp, compromised). But when I set one of my LAN hosts to be
the "virtual DMZ host" in the Barricade, that host can still connect in
any usual way (ie. ping, ssh, etc.) to the other LAN hosts. In other
words, the "virtual DMZ host" is still part of the LAN, not
"quarantined" somehow in a little network of it's own.
SMC has offered me a diffrent definition of a DMZ, it basically goes
like this: when you want to use network software that doesn't use
standard ports (like ICQ file transfers), it's convenient to be able to
back off all the firewall rules for a given host, so all ports are
available. You'll notice this definition results in less security, not
more. According to SMC, this definition is the norm used by virtually
all other home firewall appliance manufacturers, apparently this makes
it OK.
I spoke with a customer feedback person at SMC, and explained all this
to all to him, I've given him a week to respond. If I can't get SMC to
change the DMZ functionality to be more secure (with a new firmware
upgrade), at least I can warn people who were mislead, like myself.
Possible solutions:
For those of us stuck with one of these appliances, and want a secure
DMZ: don't use the DMZ feature on the Barricade, add firewalling rules
on all LAN boxes to protect them from the DMZ host. Although
cumbersome, this should approximate the functionality of a DMZ. Or get
a diffrent firewall.
At the very least, SMC should stop using the term "DMZ", a more
appropriate term would be "LAN Host With No Firewall Rules". Or maybe
two new terms like "convenience-DMZ" (as defined by companies like SMC)
and "security-DMZ" (as defined by the computer security community)
should be defined.
It would be great if a few home firewall appliances were verified (on
BugTraq) as having a properly-working DMZ, so those concerned about
security can make an informed purchase.
--
Dustin Harriman Systems Administrator
Analog Design Automation Inc
