Re: regarding Cisco Pix, DMZ and NAT combination

Discussion in 'Cisco' started by Michael Hatzis, Jul 9, 2003.

  1. G'day,

    There are many thoughts to what is right and wrong and at the end of
    the day is all about making it as hard as possible if a system is

    1. Only allow ports you need from outside to dmz eg:http ssl,, obvious
    2. nat comms from the dmz host to inside network only, not entire
    Restrict what access the DMZ host has to the inside network and from
    inside to the DMZ server.
    3. Only add routes to the hosts that the DMZ hosts need to access
    inside not the entire network, this only works if your internal hosts
    are on different subnet to what your inside interface is on.
    4. Most important, make sure all your hosts are up to date with
    security patches.

    What happens when your web server becomes compromised and the attacker
    is then sitting on the host with access to the network, so he can get
    into your inside network on the ports you allow from DMZ to inside. In
    this case changing your ip's to internal address space does not do
    very much.

    The way I have set up similar environments has been as a three tier
    network, "funding is a problem at times, I know"

    inside |
    ------------------------------------ firewall 1
    |shared infrastructure no static routes
    ------------------------------ firewall 2

    i hope this helps


    (Trond Hindenes) wrote in message news:<>...
    > Hi, I really appreciate your comments. Couple of things I would like
    > to clarify though;comments in line
    > > What is the need for the web server to me a member of the domain. I'll stand
    > > corrected if necessary, but in my view a web server should have minimal
    > > connectivity to internal network, and definitely not a member of internal
    > > domain. Once the server is compromised you lose everything.

    > Yes, I understand this. We use domain addmounting on our web servers,
    > so they need to be domain members. We only use SSL (port 80 is never
    > open) and RSA Securid tokens, so i feel fairly comfortable with our
    > web server security althgough I see your point, of course.
    > > Your idea of a virtual DMZ I think is not, although it might make you feel
    > > better calling it that :)
    > > You are just doing NAT translation to an internal device. The address you
    > > use is irrelevant. I think you're saying that anyway though so you probably
    > > know the implications of this.

    > Humbly Agreed :)
    > The term virtual DMZ is just that in my opinion; an internal block of
    > adresses that look like they belong to a DMZ.
    > > I can't see anything stopping you isolating your web server in the DMZ now.
    > > The addressing seems irrelevant. I may be missing something.

    > The problem, as I see it, is that for it to work as it stands now, I
    > would have to use NAT between the DMZ and LAN, thus giving each web
    > server in DMZ two adresses, one "real" and one internal address. As I
    > see it, this would confuse my internal DNS, but I may be wrong. Will
    > look into it.
    > > You can leave your existing address on the outside of the Pix, and just use
    > > your block of 16 for NAT - you probably know that anyway.
    > >

    > Could you clarify this a little? I`m not sure I quite follow..
    > > You can have this anyway. You may have to use alias to access the web
    > > servers from the inside using DNS resolved addresses if you have private
    > > addressing on the DMZ.

    > Yup.
    > > You can do this anyway, but should minimise it.

    > Yup
    Michael Hatzis, Jul 9, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom
    Walter Roberson
    Nov 20, 2004
  2. JohnC
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Walter Roberson
    Sep 25, 2005
  4. morten
    Tilman Schmidt
    Sep 4, 2007
  5. Jack