Kearfott Guidance & Navigation Corp. is a multinational designer and manufacturer of guidance and navigational components and systems. Offices and manufacturing facilities are located throughout the United States; Matamoros, Mexico and Bnei Brak, Israel. Kearfott products are used in commercial, military and space exploration applications. Due to the fact that the majority of Kearfott?s business involves the military, the company is required to adhere to export restrictions concerning items deemed sensitive. These ?sensitive items? include but are not limited to design drawings, customer specifications, material, sub-systems, piece parts, electronic data, etc?

The Kearfott computing facilities located in North and South America are connected via Wide Area Network (WAN). Previously, there was very little protection between the networks in the U.S. and Mexico. This lack of protection could have enabled the ?free flow? of data out of the U.S. in violation of the aforementioned ?export restrictions?. The author?s goal was to provide a mechanism in which to better control and monitor the flow of data to Kearfott?s sister facility in Mexico.

The construction of Kearfott?s DMZ entailed setting up a variety of servers. Each server was built with a common, underlying scheme consisting of a stripped down Linux installation, PortSentry for intrusion detection/blocking and OpenSSL & OpenSSH for encrypted remote communication/administration. The kernel and security enhancing applications (mentioned above) were built from source code in order to utilize appropriate features while omitting unneeded ones and optimize the resulting executable for the hardware on which it runs. The services provided include but are not limited to Domain Name Service (ISC BIND), email (Sendmail), Dynamic Host Configuration Protocol (ISC DHCP), Lightweight Directory Access Protocol (LDAP), and caching web proxy (Squid).

For the sake of brevity, only DNS will be covered in the presentation as it provides the core functionality of the DMZ. Version 9 of ISC BIND introduced the ?view? option which provides alternate views of a declared namespace. Being that the Kearfott facility in Asheville provides DNS services for the Mexico facility it was necessary to use no less than three ?views?. These views include: ?internal? which provides IP address to name mapping for the Asheville facility, visible only by said facility; ?matamoros? which provides IP address to name mapping for and visible only to the Mexico facility; and ?external? which provides IP address to name mapping for machines deemed ?safe for exposure to the corporate WAN? and, in the future, the Internet at large. Each of these views share a common domain name, however, depending on one?s physical location, different sets of hosts are visible/accessible.