Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: regarding Cisco Pix, DMZ and NAT combination

Reply
Thread Tools

Re: regarding Cisco Pix, DMZ and NAT combination

 
 
Michael Hatzis
Guest
Posts: n/a
 
      07-09-2003
G'day,

There are many thoughts to what is right and wrong and at the end of
the day is all about making it as hard as possible if a system is
compromised.

1. Only allow ports you need from outside to dmz eg:http ssl,, obvious
2. nat comms from the dmz host to inside network only, not entire
network.
Restrict what access the DMZ host has to the inside network and from
inside to the DMZ server.
3. Only add routes to the hosts that the DMZ hosts need to access
inside not the entire network, this only works if your internal hosts
are on different subnet to what your inside interface is on.
4. Most important, make sure all your hosts are up to date with
security patches.

What happens when your web server becomes compromised and the attacker
is then sitting on the host with access to the network, so he can get
into your inside network on the ports you allow from DMZ to inside. In
this case changing your ip's to internal address space does not do
very much.

The way I have set up similar environments has been as a three tier
network, "funding is a problem at times, I know"

inside |
------------------------------------ firewall 1
|
|shared infrastructure no static routes
|
------------------------------ firewall 2
|
|DMZ
-------------------------------
|
|
internet

i hope this helps

Mike

http://www.velocityreviews.com/forums/(E-Mail Removed) (Trond Hindenes) wrote in message news:<(E-Mail Removed). com>...
> Hi, I really appreciate your comments. Couple of things I would like
> to clarify though;comments in line
>
>
> > What is the need for the web server to me a member of the domain. I'll stand
> > corrected if necessary, but in my view a web server should have minimal
> > connectivity to internal network, and definitely not a member of internal
> > domain. Once the server is compromised you lose everything.

>
> Yes, I understand this. We use domain addmounting on our web servers,
> so they need to be domain members. We only use SSL (port 80 is never
> open) and RSA Securid tokens, so i feel fairly comfortable with our
> web server security althgough I see your point, of course.
>
>
> > Your idea of a virtual DMZ I think is not, although it might make you feel
> > better calling it that
> > You are just doing NAT translation to an internal device. The address you
> > use is irrelevant. I think you're saying that anyway though so you probably
> > know the implications of this.

>
> Humbly Agreed
> The term virtual DMZ is just that in my opinion; an internal block of
> adresses that look like they belong to a DMZ.
>
> > I can't see anything stopping you isolating your web server in the DMZ now.
> > The addressing seems irrelevant. I may be missing something.

>
> The problem, as I see it, is that for it to work as it stands now, I
> would have to use NAT between the DMZ and LAN, thus giving each web
> server in DMZ two adresses, one "real" and one internal address. As I
> see it, this would confuse my internal DNS, but I may be wrong. Will
> look into it.
>
>
> > You can leave your existing address on the outside of the Pix, and just use
> > your block of 16 for NAT - you probably know that anyway.
> >

>
> Could you clarify this a little? I`m not sure I quite follow..
>
>
> > You can have this anyway. You may have to use alias to access the web
> > servers from the inside using DNS resolved addresses if you have private
> > addressing on the DMZ.

>
> Yup.
> > You can do this anyway, but should minimise it.

>
> Yup

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM
Cisco PIX 515E DMZ NAT Question, Please help Tom Cisco 1 11-20-2004 06:31 PM



Advertisments