On Mon, 28 Aug 2000, SH Wesson wrote:
> My network is as follows:
>
>
>
> Ethernet Segment -------|PIX|--------|RTR|----------OUT TO INTERNET
> INTERNAL DMZ EXTERNAL
>
> I have a few servers out in the DMZ zone. How and what is the standard for
> security configuration for the PIX and the RTR (router). Is the RTR suppose
> to shield only the servers in the DMZ and allow all other access inside? Is
> the PIX suppose to be configured such that any traffic from the Ethernet
> Segment on the INTERNAL network going through the INTERNET is filtered and
> allowed via the OUTBOUND list on the PIX. How about the conduit? How is
> that suppose to be used.
A lot depends on your business model, what services the DMZ servers
are offering to the Internet, and what permissions you wish to allow
the internal users. Are you using NAT at the router? At the PIX?
Both? How will this scale? Any plans for a remote office? Remote
users need access to resources in DMZ? Inside?
> I have the network pretty much setup, but wanted some suggestions as to if
> I'm doing it right. I'm currently using the RTR to protect the servers in
> the DMZ as well as placing some security for inbound connections while using
> the PIX to establish/filter what traffic can go outbound and what can't.
> How about traffic coming inbound from the INTERNET, should that type of
> traffic be filtered on the RTR or by using the conduit on the PIX. Any help
> with how to setup security at what section of the network (where) would be
> greatly appreciated. Thanks.
As a first cut, I would place an access list on the router that allows
established connections DMZ -> outside and also allows inbound connections
to those ports on those servers you have in the DMZ. You'll also likely
need to allow UDP port 53 for DNS. Will one of the DMZ servers be a name
server? If so, will it be authoritative for any zones, and need to do
zone transfers to a secondary (TCP 53)? With a deny any any log at the
end of the router access list you can see what holes you need to open if
things aren't working as planned.
The PIX will by default allow connections originated on the inside to
connect to the outside, so the configuration should be minimal there
unless you're either denying certain types of traffic originated inside,
or plan to allow static mappings and certain traffic originating from
DMZ or internet to reach hosts on the inside network. There's no reason
not to deny unwanted and/or malicious traffic both at the router and at
the PIX. More security. If a host in the DMZ gets compromised, it's
nice to have another defense for the inside.
The biggest problems with this type of setup are customer related, not
configuration or hardware. You design a secure network and then someone
demands the ability to use PCAnywhere to get to his inside workstation
or worse yet hangs a modem on it. Insist on IPSEC/VPN for such idiocy
if at all possible.
--
Jay Hennigan - Network Administration - [EMAIL PROTECTED]
NetLojix Communications, Inc. NASDAQ: NETX - http://www.netlojix.com/
WestNet: Connecting you to the planet. 805 884-6323
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
