PIX ASA : Need to setup a server in a DMZ such that

Discussion in 'Cisco' started by barret bonden, Mar 26, 2010.

  1. Need to setup a web server in a DMZ such that
    1) computers on the INSIDE interface can , on a microsoft LAN, browse to and
    copy files FROM the server in the DMZ to themselves in the inside
    2) If the server in the DMZ is hacked it will prevent attack on the inside
    computers.


    I need to:
    1) know this is possible
    2) be pointed to instructions on how to set this up
    3) understand HOW this is done
    4) understand if the Inside and DMZ are on differnt subnets if the ASA is
    doing routing as well as passing Netbios packets.As I understand the world
    if you allow netbios from and to subnets you are making security holes that
    undermine the value of the DMZ
     
    barret bonden, Mar 26, 2010
    #1
    1. Advertising

  2. Am 26.03.2010 20:11 schrieb barret bonden:
    > Need to setup a web server in a DMZ such that
    > 1) computers on the INSIDE interface can , on a microsoft LAN, browse to and
    > copy files FROM the server in the DMZ to themselves in the inside
    > 2) If the server in the DMZ is hacked it will prevent attack on the inside
    > computers.
    >
    >
    > I need to:
    > 1) know this is possible
    > 2) be pointed to instructions on how to set this up
    > 3) understand HOW this is done
    > 4) understand if the Inside and DMZ are on differnt subnets if the ASA is
    > doing routing as well as passing Netbios packets.As I understand the world
    > if you allow netbios from and to subnets you are making security holes that
    > undermine the value of the DMZ


    You got that right. Opening up Microsoft LAN protocols between the DMZ
    and your internal network makes it pretty much impossible to secure the
    internal network against attacks from the DMZ server, should it be
    subverted.

    (Btw, I don't agree with your distinction between "routing" and "passing
    Netbios packets". The latter is a particular case of the former.)

    What I'd recommend is not to use Netbios for that purpose. If that DMZ
    server is a web server already, why not have the inside computers browse
    to and copy these files via HTTP, too? For that you only have to open
    port 80 from inside to DMZ, which you probably did already anyway.

    HTH
    Tilman
     
    Tilman Schmidt, Mar 27, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    0
    Views:
    6,119
    J Bard
    Jan 9, 2004
  2. David

    PIX DMZ Setup?

    David, May 28, 2005, in forum: Cisco
    Replies:
    8
    Views:
    5,310
    David
    May 28, 2005
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,902
    Walter Roberson
    Sep 25, 2005
  4. ivan@netvision
    Replies:
    0
    Views:
    1,022
    ivan@netvision
    Aug 16, 2007
  5. Jack
    Replies:
    0
    Views:
    681
Loading...

Share This Page