• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 545
  • Last Modified:

Secure DMZ config

I am runnning a Pix 515E and I just added the 3rd interface for a DMZ for the company web server.  I need this server to be accessible from my private network 172.28.1.0/24 because I run damware for remote connectivity and I need it to be backed up via Veritas Netbackup plus it should have access to get out on the internet.
I understand how to do this but I called Cisco to get their opinion and here is what they reccommended:
Now it does work but is it secure?  This gives my DMZ 10.10.10.0/24 access to both servers completely versus limiting it by protocol.  
Can anyone give me a hand please?

Static Entries:
           
static (inside,DMZ) 172.28.1.3 172.28.1.3 netmask 255.255.255.255 0 0  <--  Static entry to my DC
static (inside,DMZ) 172.28.1.4 172.28.1.4 netmask 255.255.255.255 0 0  <--  Static entry to my Veritas Server


ACL:

access-list dmz-in permit ip host 10.10.10.5 host 172.28.1.3
access-list dmz-in permit ip host 10.10.10.5 host 172.28.1.4
access-list dmz-in deny ip any 172.28.1.0 255.255.255.0
access-list dmz-in permit ip any any

0
rick_me27
Asked:
rick_me27
1 Solution
 
lrmooreCommented:
Yep, that's pretty much standard fare.
Unless you know exactly which ports are required for Dameware and for Veritas, you can't really lock them down much more than that.

If you do know the specific ports, then you can lock down the acl a bit better, i.e.

access-list dmz-in permit tcp host 10.10.10.5 host 172.28.1.3 eq <port>

You still need to include both the deny and the permit ip any any.

0
 
rick_me27Author Commented:
Thanks for the info lrmoore.  That's kinda what I thought but I needed to confirm.  Just doesn't seem secure to allow a public server full access to two servers on my LAN.  I'll find out port numbers for those apps and I guess I need to allow 53 for DNS for web access.  I'll play with it in the morning.  Thanks again.  Have a good one.

-Rick
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now