We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

How to configure DMZ with 2 firewalls

upplepop
upplepop asked
on
Medium Priority
1,300 Views
Last Modified: 2013-11-16
I have 2 Cisco PIX515E that I want to use to set up a DMZ. My network consists of a WebServer (which I want in the DMZ), a DataServer (which runs a MS SQL database that the WebServer needs to access) and a DomainController (which the WebServer also needs to access because it belongs to the domain). There are also 3-5 workstations that are on the domain.  The primary issue is the security of the DataServer.

As for required ports, the WebServer needs http, https, and ftp open. All three servers need to be accessible via Terminal Services as well (therefore DataServer and DomainController need static IPs). The WebServer will also need the following ports to authenticate to the Domain Controller as per Microsoft KB179442:
UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269

Here is what I was thinking:
x.x.x.x (External IPs)
y.y.y.y (Internal IPs)

FIREWALL1:
Interface outside (from Internet) x.x.x.51 255.255.255.192
Interface inside (to Firewall2) y.y.20.1 255.255.255.0
Interface dmz (to DMZ switch) y.y.30.1 255.255.255.0
Ports???

FIREWALL2:
Interface outside (from Firewall2) y.y.20.2 255.255.255.0
Interface inside (to inside switch) y.y.10.1 255.255.255.0
Ports???

WebServer:
ExternalIP: x.x.x.52
InternalIP: y.y.30.2
Gateway: y.y.30.1

DataServer/DomainController:
ExternalIP: x.x.x.53 / x.x.x.54
InternalIP: y.y.10.3 / y.y.10.4
Gateway: y.y.10.1

So how can I set up the firewalls for the DMZ? What other issues should I be considering?
Comment
Watch Question

Author

Commented:
I am also open to suggestions on restricting outbound traffic. I want to keep the workstations pretty open, but perhaps there are security benefits to implementing this on the servers; especially the DataServer.
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for your help lrmoore.

Actually, I currently have them set up as failover and I am moving to the independent firewalls to provide an extra layer of security to the DataServer (security on that server is a big concern).  I am curious why you would suggest a failover setup. In my experience (albiet limited), the Cisco PIX has been very reliable.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
Sometimes when sold in Fail-over pairs... cisco will send one that can only be secondary... meaning that it can only obtain it's information from the primary pix, over the failover cable, and this cannot be gotten around. I'm not sure you have been sold this configuration or not, but it's an FYI. Boot up the secondary 515, and you'll know pretty quickly if this is the case.

Also, remember with FTP that there is an FTP-DATA port that will (typically)need to be allowed also :) So you need port 20 and 21 allowed typically.
Egress and Ingress filtering can help keep your lan from attacking others and mitigate attacks against you.
-rich

Author

Commented:
Can anyone comment on which configuration would be better: 2 seperate firewalls or the failover (like lrmoore suggested)? What are the advantages/disadvantages?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Personal opinion (I've been installing/configuring PIX's for years) only.

Use the failover pair. You gain nothing (security wise) by having a wire (DMZ LAN) between two individual pix's over using two separate interfaces on the same pix.
By separating the pair, you now have TWO separate points of failure in your network.
By separating the pair, you now have TWO separate boxes to manage, monitor, update, etc.
By separating the pair, you incur a license upgrade (from failover only to unlimited) cost upwards of $3000
By separating the pair, your maintenance contract costs go up by about $1000/year
By separating the pair, it makes it very difficult to VPN into the back-end PIX to get to your local LAN using the VPN client, or LAN-LAN vpn's
By separating the pair, you give 'management' an "illusion" of higher security

By Keeping the pair:
- save $$
- easy to access local LAN via VPN
- just as secure - no illusions, no smoke and mirrors
- easier to manage/monitor
- NO single point of failure

That's just off the top of my head....

Commented:
Having them in failover probably makes sense in your design.  There most certainly are times when you would want 2 or more firewalls that would not just provide an illusion of higher security, but more along the lines of leveled security.

If you want them both to connect to the same DMZ, then it would be pointless unless you were having performance issues and needed to shift load.  

If your really that concerned about the DB server, why not put one of the PIX's directly infront of it?  You could easily configure your general fw set on your border firewall and then be very granular on the one in front of the DB?  

Just a thought.
CERTIFIED EXPERT

Commented:
Don't forget there will also be a license fee in upgrading from FO to either R or UR depending on how many interfaces you will be using -

PIX-515-SW-FO-R=      PIX 515/515E Failover-to-Restricted (FO-to-R) license upg.      $495      £340
PIX-515-SW-FO-UR=      PIX 515/515E Failover-to-Unrestricted (FO-to-UR) license upg      $4,495      £3,087

R (restricted) lets you use THREE interfaces, whereas UR is up to the capacity of the box (six).

In my opinion, you won't beneft by putting the data server behind two firewalls.  The two-tiered firewall approach is only useful when the firewalls are of different vendors, so that if one firewall misses something, chances are the second will pick it up.
..and even then, there are more important issues of which firewalling is the least that concern the security of your data server.

Architecturally, something like this would be better:

Internet
|
PIX--------DMZ 1 (WWW Server)
|       |
|       ------DMZ 2 (Data server, backup domain controller)
|
Internal users , primary domain controller

     
Also, you're being far too generous with the open ports here:

UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269

What sort of authentication are you trying to pass through ?  


Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.