?
Solved

How to configure DMZ with 2 firewalls

Posted on 2004-04-05
8
Medium Priority
?
1,264 Views
Last Modified: 2013-11-16
I have 2 Cisco PIX515E that I want to use to set up a DMZ. My network consists of a WebServer (which I want in the DMZ), a DataServer (which runs a MS SQL database that the WebServer needs to access) and a DomainController (which the WebServer also needs to access because it belongs to the domain). There are also 3-5 workstations that are on the domain.  The primary issue is the security of the DataServer.

As for required ports, the WebServer needs http, https, and ftp open. All three servers need to be accessible via Terminal Services as well (therefore DataServer and DomainController need static IPs). The WebServer will also need the following ports to authenticate to the Domain Controller as per Microsoft KB179442:
UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269

Here is what I was thinking:
x.x.x.x (External IPs)
y.y.y.y (Internal IPs)

FIREWALL1:
Interface outside (from Internet) x.x.x.51 255.255.255.192
Interface inside (to Firewall2) y.y.20.1 255.255.255.0
Interface dmz (to DMZ switch) y.y.30.1 255.255.255.0
Ports???

FIREWALL2:
Interface outside (from Firewall2) y.y.20.2 255.255.255.0
Interface inside (to inside switch) y.y.10.1 255.255.255.0
Ports???

WebServer:
ExternalIP: x.x.x.52
InternalIP: y.y.30.2
Gateway: y.y.30.1

DataServer/DomainController:
ExternalIP: x.x.x.53 / x.x.x.54
InternalIP: y.y.10.3 / y.y.10.4
Gateway: y.y.10.1

So how can I set up the firewalls for the DMZ? What other issues should I be considering?
0
Comment
Question by:upplepop
8 Comments
 

Author Comment

by:upplepop
ID: 10760766
I am also open to suggestions on restricting outbound traffic. I want to keep the workstations pretty open, but perhaps there are security benefits to implementing this on the servers; especially the DataServer.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 10760875
I would seriously consider using the two PIX's as a failover pair, not as two independent firewalls.

Not:
Outside-->PIX1-->(y.y.20.0)<--PIX2--> Inside (y.y.10.0)
                  \
                   DMZ hosts (y.y.30.0)
Rather:
Outside-->PIX(pair)-->Inside (y.y.10.0)
                 \
                   DMZ hosts (y.y.30.0)

Basic config includes these steps:

1. define static nat translations for public/private IP hosts:
static(dmz,outside) x.x.x.52 y.y.30.2 netmask 255.255.255.255
static(inside,outside) x.x.x.53 y.y.10.3 netmask 255.255.255.255
static(inside,outside) x.x.x.54 y.y.10.4 netmask 255.255.255.255

2. create access-list for public access IN to DMZ:
access-list outside_access_in permit tcp any host x.x.x.52 eq www
access-list outside_access_in permit tcp any host x.x.x.52 eq 443

3. apply the access-list to the outside interface:
access-group outside_access_in in interface outside

4. Setup nat exceptions for data between private inside net and private DMZ subnet:
access-list no_nat permit ip y.y.10.0 255.255.255.0 y.y.30.0 255.255.255.0
nat(inside) 0 access-list no_nat

5. setup access-list rules for the DMZ server to access the domain:
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.3 eq 53
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.3 eq 86
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.3 eq 389
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.4 eq 53
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.4 eq 86
access-list dmz_access_inside permit udp host y.y.30.2 host y.y.10.4 eq 389
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 53
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 88
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 135
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 389
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 448
access-list dmz_access_inside permit tcp host y.y.30.2 host y.y.10.3 eq 636
<etc>

(you can also setup server 'groups' and protocol 'groups' then permit access to/from server group X, protocol group X, make it easier in the long run)

Apply that to the DMZ interface
access-group dmz_access_inside in interface dmz

That's pretty much how you set it up.














0
 

Author Comment

by:upplepop
ID: 10761715
Thanks for your help lrmoore.

Actually, I currently have them set up as failover and I am moving to the independent firewalls to provide an extra layer of security to the DataServer (security on that server is a big concern).  I am curious why you would suggest a failover setup. In my experience (albiet limited), the Cisco PIX has been very reliable.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10762055
Sometimes when sold in Fail-over pairs... cisco will send one that can only be secondary... meaning that it can only obtain it's information from the primary pix, over the failover cable, and this cannot be gotten around. I'm not sure you have been sold this configuration or not, but it's an FYI. Boot up the secondary 515, and you'll know pretty quickly if this is the case.

Also, remember with FTP that there is an FTP-DATA port that will (typically)need to be allowed also :) So you need port 20 and 21 allowed typically.
Egress and Ingress filtering can help keep your lan from attacking others and mitigate attacks against you.
-rich
0
 

Author Comment

by:upplepop
ID: 10775442
Can anyone comment on which configuration would be better: 2 seperate firewalls or the failover (like lrmoore suggested)? What are the advantages/disadvantages?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10775948
Personal opinion (I've been installing/configuring PIX's for years) only.

Use the failover pair. You gain nothing (security wise) by having a wire (DMZ LAN) between two individual pix's over using two separate interfaces on the same pix.
By separating the pair, you now have TWO separate points of failure in your network.
By separating the pair, you now have TWO separate boxes to manage, monitor, update, etc.
By separating the pair, you incur a license upgrade (from failover only to unlimited) cost upwards of $3000
By separating the pair, your maintenance contract costs go up by about $1000/year
By separating the pair, it makes it very difficult to VPN into the back-end PIX to get to your local LAN using the VPN client, or LAN-LAN vpn's
By separating the pair, you give 'management' an "illusion" of higher security

By Keeping the pair:
- save $$
- easy to access local LAN via VPN
- just as secure - no illusions, no smoke and mirrors
- easier to manage/monitor
- NO single point of failure

That's just off the top of my head....

0
 
LVL 1

Expert Comment

by:badrox
ID: 10786061
Having them in failover probably makes sense in your design.  There most certainly are times when you would want 2 or more firewalls that would not just provide an illusion of higher security, but more along the lines of leveled security.

If you want them both to connect to the same DMZ, then it would be pointless unless you were having performance issues and needed to shift load.  

If your really that concerned about the DB server, why not put one of the PIX's directly infront of it?  You could easily configure your general fw set on your border firewall and then be very granular on the one in front of the DB?  

Just a thought.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10823442
Don't forget there will also be a license fee in upgrading from FO to either R or UR depending on how many interfaces you will be using -

PIX-515-SW-FO-R=      PIX 515/515E Failover-to-Restricted (FO-to-R) license upg.      $495      £340
PIX-515-SW-FO-UR=      PIX 515/515E Failover-to-Unrestricted (FO-to-UR) license upg      $4,495      £3,087

R (restricted) lets you use THREE interfaces, whereas UR is up to the capacity of the box (six).

In my opinion, you won't beneft by putting the data server behind two firewalls.  The two-tiered firewall approach is only useful when the firewalls are of different vendors, so that if one firewall misses something, chances are the second will pick it up.
..and even then, there are more important issues of which firewalling is the least that concern the security of your data server.

Architecturally, something like this would be better:

Internet
|
PIX--------DMZ 1 (WWW Server)
|       |
|       ------DMZ 2 (Data server, backup domain controller)
|
Internal users , primary domain controller

     
Also, you're being far too generous with the open ports here:

UDP: 53, 86, 389
TCP: 53, 88, 135, 389, 445, 636, 3268, 3269

What sort of authentication are you trying to pass through ?  


0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question