In this third installment of my “Security Basics” posts, let’s look at demilitarized zones (DMZs). Industrial Defender field personnel report that many of the industrial networks we see are configured with a DMZ, and occasionally with more than one. A DMZ is really just a specific kind of network segment, and the trend in industrial networking is towards increased segmentation of our networks. With modern hardware, multiple DMZs are very affordable, and when done right, can add additional layers of protection to a defense-in-depth strategy.
How does it work?
A demilitarized zone is a network subnet where you host servers and applications that must connect directly to equipment on a less trusted network. Good examples of such applications are process historians and web servers which serve inventory levels, production status or other high-level information to users on an enterprise network.
Years ago, common wisdom dictated the use of a single DMZ network segment. Modern advice from NIST 800-53, NIST 800-82 and the ISA SP-99 standards recommends multiple DMZ segments, with each segment containing servers at the same level of sensitivity or exposure. You might worry about the cost of multiple DMZs, but in practice, modern firewalls come with so many ports that a “one host per DMZ” configuration is straightforward and affordable at many sites.
There are two common designs for demilitarized zones, illustrated in the diagrams at right:
DMZs using one firewall
- Some sites connect each DMZ segment to an unused port on their existing plant / enterprise firewall and configure the firewall accordingly, or
- Some sites prefer to use a pair of firewalls with the DMZ networks between the two firewalls.
The “firewalls” in the diagrams are labeled as “Firewall / UTM” devices. UTM stands for “Unified Threat Manager,” the name security vendors like to call equipment with deep packet inspection, in-line anti-virus, IPS, anti-spam, web filtering and many other features. Of course everyone else still calls this equipment a “firewall” but we all know that today’s “firewall” does a great deal more than the gear we called a “firewall” as little as ten years ago.
DMZs using two firewalls
In practice, we see single-firewall DMZs most frequently – they are cheaper than two-firewall configurations, they are easier to set up and easier to manage. In theory, though, the two-firewall configurations are more secure, especially if the two firewalls are from two different vendors. This way if an intruder gets hold of a zero-day vulnerability in one vendor’s firewall, he does not have free range in the trusted network – the intruder must still compromise either the other firewall, or an application via one of the allowed connections. This theory is fine, but as I said, most customers we see use a single firewall. Most sites are still spending firewall-sized chunks of money on mitigations that each address a myriad of threats. Spending money on a second firewall to deal with one very specific and not-very-frequent threat does not make business sense.
Modern Advice for DMS Networks
Whichever approach you choose though, modern advice for DMZ network segments is along these lines:
- Minimize the variety of equipment in each DMZ segment. All of the equipment on a segment should host information of the same sensitivity, and serve it to the same sort of users.
- Minimize who has access to equipment in each DMZ
- Minimize communications between network segments. Make aggressive use of both ingress filtering and egress filtering, and of deep packet inspection technology like intrusion prevention and anti-virus.
- Aggressively harden all computing and networking equipment in DMZ segments.
- Monitor the DMZs – traffic on those very specific network segments and program behavior on those very specific hosts should be extremely predictable.
The good news is that as a rule, you still benefit from increased security even if you cannot follow all of this advice – the closer you come to it, the better off you are.
Why does it work?
Let’s look at each of these pieces of advice to understand why they work.
“Minimize the variety of hosts on a DMZ segment”
This advice is the reason for multiple DMZ segments at all. If a host on a DMZ becomes compromised, all of the other hosts on that segment are at greater risk. If there is only one host on that segment, you are in better shape than if there are many other hosts. Furthermore, a service like a web server that is accessible to a large fraction of the population on the enterprise network is open to attack from those users and from whatever malware their workstations might harbor. It makes sense to have such a very vulnerable system on a different network from something like a historian server, which has only a handful of authorized users.
“Minimize who has access”
This advice is similar. You might think that you could simply open up to the entire enterprise network a web server hosting non-sensitive information. In fact, every extra user or workstation you allow to connect to the web server increases the risk that it will be compromised. Even not-sensitive data should be shared minimally, in order to minimize the number of users or workstations that can attack the server for that not-sensitive data.
“Minimize communications between network segments”
This piece of advice is common wisdom for all network segmentation. Even connections from trusted equipment to less trusted networks and equipment – so-called egress filtering – should be minimized. Modern malware is not “pushed” from one compromised machine to another, it is rather “pulled” over a connection initiated by a trusted machine to a compromised machine. In addition, for those communications you must allow, don’t forget to enable all of the appropriate firewall / UTM equipment’s packet inspection capabilities. For example, enable inline intrusion prevention for most protocols, and enable anti-virus protection on any transports the UTM supports – usually HTTP, FTP, and sometimes even HTTPS and sftp, depending on the UTM.
This is perhaps the most foreign advice for industrial users. Often safety certifications and other restrictions make it extremely expensive to harden control system gear with the latest firmware, patches, anti-virus, anti-spyware and other modern intrusion prevention measures and configurations. However, the gear you put on a DMZ segment should not be critical to the operation of the physical process. Such devices should never communicate directly with an untrusted network. Equipment on a DMZ should be managed the way you manage any server on the enterprise network – with all modern protections installed, updated and enabled.
“Monitor your DMZ segments”
This is only common sense. Think fire safety. So you’ve made most of your entire house out of fire resistant materials – do you still invest in a smoke alarm? Do you still go check things out when the smoke alarm goes off? In the world of security there is no silver bullet – for every defense there is an offense. The role of network segmentation and demilitarized zones is to make compromise of a trusted network harder. The role of these approaches is to slow down intruders to the point where network and host intrusion detection measures can identify anomalous behaviors and raise an alarm.
Properly configured DMZ network segments reduce the “attack surface” – the number of points of attack – for your trusted network. DMZ segments do this by reducing the number of accessible ports, by hardening the hosts in the DMZ to which enterprise computers and especially enterprise workstations have direct access, and by forcing intruders through an extra step of host compromise before they reach the trusted network. The more you are able to force intruders into the DMZ before reaching the trusted network, and the harder you make it to compromise equipment in the DMZ, and the more diligently you monitor DMZ traffic and hosts for anomalies – the better you protect your control networks.