Solved

How to configure DMZ with 2 firewalls

Posted on 2004-04-05
8
1,255 Views
Last Modified: 2013-11-16
I have 2 Cisco PIX515E that I want to use to set up a DMZ. My network consists of a WebServer (which I want in the DMZ), a DataServer (which runs a MS SQL database that the WebServer needs to access) and a DomainController (which the WebServer also needs to access because it belongs to the domain). There are also 3-5 workstations that are on the domain.  The primary issue is the security of the DataServer.

As for required ports, the WebServer needs http, https, and ftp open. All three servers need to be accessible via Terminal Services as well (therefore DataServer and DomainController need static IPs). The WebServer will also need the following ports to authenticate to the Domain Controller as per Microsoft KB179442:
UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269

Here is what I was thinking:
x.x.x.x (External IPs)
y.y.y.y (Internal IPs)

FIREWALL1:
Interface outside (from Internet) x.x.x.51 255.255.255.192
Interface inside (to Firewall2) y.y.20.1 255.255.255.0
Interface dmz (to DMZ switch) y.y.30.1 255.255.255.0
Ports???

FIREWALL2:
Interface outside (from Firewall2) y.y.20.2 255.255.255.0
Interface inside (to inside switch) y.y.10.1 255.255.255.0
Ports???

WebServer:
ExternalIP: x.x.x.52
InternalIP: y.y.30.2
Gateway: y.y.30.1

DataServer/DomainController:
ExternalIP: x.x.x.53 / x.x.x.54
InternalIP: y.y.10.3 / y.y.10.4
Gateway: y.y.10.1

So how can I set up the firewalls for the DMZ? What other issues should I be considering?
0
Comment
Question by:upplepop
8 Comments
 

Author Comment

by:upplepop
Comment Utility
I am also open to suggestions on restricting outbound traffic. I want to keep the workstations pretty open, but perhaps there are security benefits to implementing this on the servers; especially the DataServer.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
I would seriously consider using the two PIX's as a failover pair, not as two independent firewalls.

Not:
Outside-->PIX1-->(y.y.20.0)<--PIX2--> Inside (y.y.10.0)
                  \
                   DMZ hosts (y.y.30.0)
Rather:
Outside-->PIX(pair)-->Inside (y.y.10.0)
                 \
                   DMZ hosts (y.y.30.0)

Basic config includes these steps:

1. define static nat translations for public/private IP hosts:
static(dmz,outside) x.x.x.52 y.y.30.2 netmask 255.255.255.255
static(inside,outside) x.x.x.53 y.y.10.3 netmask 255.255.255.255
static(inside,outside) x.x.x.54 y.y.10.4 netmask 255.255.255.255

2. create access-list for public access IN to DMZ:
access-list outside_access_in permit tcp any host x.x.x.52 eq www
access-list outside_access_in permit tcp any host x.x.x.52 eq 443

3. apply the access-list to the outside interface:
access-group outside_access_in in interface outside

4. Setup nat exceptions for data between private inside net and private DMZ subnet:
access-list no_nat permit ip y.y.10.0 255.255.255.0 y.y.30.0 255.255.255.0
nat(inside) 0 access-list no_nat

5. setup access-list rules for the DMZ server to access the domain:
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.3 eq 53
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.3 eq 86
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.3 eq 389
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.4 eq 53
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.4 eq 86
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.4 eq 389
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 53
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 88
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 135
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 389
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 448
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 636
<etc>

(you can also setup server 'groups' and protocol 'groups' then permit access to/from server group X, protocol group X, make it easier in the long run)

Apply that to the DMZ interface
access-group dmz_access_inside in interface dmz

That's pretty much how you set it up.














0
 

Author Comment

by:upplepop
Comment Utility
Thanks for your help lrmoore.

Actually, I currently have them set up as failover and I am moving to the independent firewalls to provide an extra layer of security to the DataServer (security on that server is a big concern).  I am curious why you would suggest a failover setup. In my experience (albiet limited), the Cisco PIX has been very reliable.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Sometimes when sold in Fail-over pairs... cisco will send one that can only be secondary... meaning that it can only obtain it's information from the primary pix, over the failover cable, and this cannot be gotten around. I'm not sure you have been sold this configuration or not, but it's an FYI. Boot up the secondary 515, and you'll know pretty quickly if this is the case.

Also, remember with FTP that there is an FTP-DATA port that will (typically)need to be allowed also :) So you need port 20 and 21 allowed typically.
Egress and Ingress filtering can help keep your lan from attacking others and mitigate attacks against you.
-rich
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:upplepop
Comment Utility
Can anyone comment on which configuration would be better: 2 seperate firewalls or the failover (like lrmoore suggested)? What are the advantages/disadvantages?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Personal opinion (I've been installing/configuring PIX's for years) only.

Use the failover pair. You gain nothing (security wise) by having a wire (DMZ LAN) between two individual pix's over using two separate interfaces on the same pix.
By separating the pair, you now have TWO separate points of failure in your network.
By separating the pair, you now have TWO separate boxes to manage, monitor, update, etc.
By separating the pair, you incur a license upgrade (from failover only to unlimited) cost upwards of $3000
By separating the pair, your maintenance contract costs go up by about $1000/year
By separating the pair, it makes it very difficult to VPN into the back-end PIX to get to your local LAN using the VPN client, or LAN-LAN vpn's
By separating the pair, you give 'management' an "illusion" of higher security

By Keeping the pair:
- save $$
- easy to access local LAN via VPN
- just as secure - no illusions, no smoke and mirrors
- easier to manage/monitor
- NO single point of failure

That's just off the top of my head....

0
 
LVL 1

Expert Comment

by:badrox
Comment Utility
Having them in failover probably makes sense in your design.  There most certainly are times when you would want 2 or more firewalls that would not just provide an illusion of higher security, but more along the lines of leveled security.

If you want them both to connect to the same DMZ, then it would be pointless unless you were having performance issues and needed to shift load.  

If your really that concerned about the DB server, why not put one of the PIX's directly infront of it?  You could easily configure your general fw set on your border firewall and then be very granular on the one in front of the DB?  

Just a thought.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Don't forget there will also be a license fee in upgrading from FO to either R or UR depending on how many interfaces you will be using -

PIX-515-SW-FO-R=      PIX 515/515E Failover-to-Restricted (FO-to-R) license upg.      $495      £340
PIX-515-SW-FO-UR=      PIX 515/515E Failover-to-Unrestricted (FO-to-UR) license upg      $4,495      £3,087

R (restricted) lets you use THREE interfaces, whereas UR is up to the capacity of the box (six).

In my opinion, you won't beneft by putting the data server behind two firewalls.  The two-tiered firewall approach is only useful when the firewalls are of different vendors, so that if one firewall misses something, chances are the second will pick it up.
..and even then, there are more important issues of which firewalling is the least that concern the security of your data server.

Architecturally, something like this would be better:

Internet
|
PIX--------DMZ 1 (WWW Server)
|       |
|       ------DMZ 2 (Data server, backup domain controller)
|
Internal users , primary domain controller

     
Also, you're being far too generous with the open ports here:

UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269

What sort of authentication are you trying to pass through ?  


0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now