Hi Todd,
you can enable such a policy with the outbound / apply commands
Lets say you have an internal network 10.1.1.0/24 and want to
restrict them to surfing and ftp:
First deny everything:
outbound 1 deny 10.1.1.0 255.255.255.0 0 tcp
outbound 1 deny 10.1.1.0 255.255.255.0 0 udp
Then permit only what necessary:
outbound 1 permit 10.1.1.0 255.255.255.0 80 tcp #(HTTP)
outbound 1 permit 10.1.1.0 255.255.255.0 443 tcp #(HTTPS)
outbound 1 permit 10.1.1.0 255.255.255.0 53 udp #(DNS-Querys)
outbound 1 permit 10.1.1.0 255.255.255.0 21 tcp #(FTP)
of course you can expand this list to fit your needs.
Unlike most firewalls it is not the first match that wins, but the most specific.
To let the admin pc open any ports:
outbound 1 permit 10.1.1.99 255.255.255.255 0 tcp
outbound 1 permit 10.1.1.99 255.255.255.255 0 udp
After that you ll have to activate this rule with the following commands:
apply (inside) 1 outgoing_src
apply (inside) 1 outgoing_dest
That s it.
The Security Levels tell the PIX which Interface is "outside" and which is "inside"
>From an outside interface (DMZ or Internet for example) to an inside interface
>everything
is denied unless a static/conduit permits it. From inside=>outside everything is
allowed
unless outbound/apply is configured otherwise (as seen above).
Have fun
Sascha
--------------------------------------------------------------------------------
Sascha Weigelmann Email: [EMAIL PROTECTED]
Tel.: +49 6172-288-383
Mobil 0170-5778857
Fax: +49 6172-288-402
ADS System AG http://www.ads.de
Siemensstr. 25a
D-61352 Bad Homburg
The Network Service Company
--------------------------------------------------------------------------------
>>> Todd a <[EMAIL PROTECTED]> 09/26/00 07:08pm >>>
Policy
........
It seems there are so many reasons to not just allow
all outgoing access to the web these days.
ports 138,139, 445, back oriface...
I am considering doing a "deny unless explicitly
allowed" policy and then allowing what is needed. Like
I do at home with IPCHAINS.
I think this is a good policy and if nothing else, it
forces you to be aware of what is going on.
implementation
...............
The pix as I undestand has a security level assigned
to each interface. The lower security interfaces will
always trust the higher security interfaces. The
"access-list" or "outbound" ( prefer outbound command
) commands can be used to "selectivly" deny or permit
access as required.
Will the trust between interfaces prevent me from
successfuly implementing a default "deny unless
explicitly allowed" outgoing policy.
I think this default policy should be feasible.
I have been told otherwise by a consultant, and I
think he might be wrong.
tia
Todd
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
