Re: regarding Cisco Pix, DMZ and NAT combination
There are many thoughts to what is right and wrong and at the end of
the day is all about making it as hard as possible if a system is
1. Only allow ports you need from outside to dmz eg:http ssl,, obvious
2. nat comms from the dmz host to inside network only, not entire
Restrict what access the DMZ host has to the inside network and from
inside to the DMZ server.
3. Only add routes to the hosts that the DMZ hosts need to access
inside not the entire network, this only works if your internal hosts
are on different subnet to what your inside interface is on.
4. Most important, make sure all your hosts are up to date with
What happens when your web server becomes compromised and the attacker
is then sitting on the host with access to the network, so he can get
into your inside network on the ports you allow from DMZ to inside. In
this case changing your ip's to internal address space does not do
The way I have set up similar environments has been as a three tier
network, "funding is a problem at times, I know"
------------------------------------ firewall 1
|shared infrastructure no static routes
------------------------------ firewall 2
i hope this helps
firstname.lastname@example.org (Trond Hindenes) wrote in message news:<email@example.com. com>...
> Hi, I really appreciate your comments. Couple of things I would like
> to clarify though;comments in line
> > What is the need for the web server to me a member of the domain. I'll stand
> > corrected if necessary, but in my view a web server should have minimal
> > connectivity to internal network, and definitely not a member of internal
> > domain. Once the server is compromised you lose everything.
> Yes, I understand this. We use domain addmounting on our web servers,
> so they need to be domain members. We only use SSL (port 80 is never
> open) and RSA Securid tokens, so i feel fairly comfortable with our
> web server security althgough I see your point, of course.
> > Your idea of a virtual DMZ I think is not, although it might make you feel
> > better calling it that :-)
> > You are just doing NAT translation to an internal device. The address you
> > use is irrelevant. I think you're saying that anyway though so you probably
> > know the implications of this.
> Humbly Agreed :-)
> The term virtual DMZ is just that in my opinion; an internal block of
> adresses that look like they belong to a DMZ.
> > I can't see anything stopping you isolating your web server in the DMZ now.
> > The addressing seems irrelevant. I may be missing something.
> The problem, as I see it, is that for it to work as it stands now, I
> would have to use NAT between the DMZ and LAN, thus giving each web
> server in DMZ two adresses, one "real" and one internal address. As I
> see it, this would confuse my internal DNS, but I may be wrong. Will
> look into it.
> > You can leave your existing address on the outside of the Pix, and just use
> > your block of 16 for NAT - you probably know that anyway.
> Could you clarify this a little? I`m not sure I quite follow..
> > You can have this anyway. You may have to use alias to access the web
> > servers from the inside using DNS resolved addresses if you have private
> > addressing on the DMZ.
> > You can do this anyway, but should minimise it.
|All times are GMT. The time now is 08:41 PM.|
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.