[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

Access across different subnets

Hi. I have a Cisco PIX 515E Firewall, connecting 3 networks: outside, inside(security100) and marketing (security50).  All PCs in inside and marketing have Windows file and printer sharing enabled.   My questions are:

1. I want to prevent users at marketing from accessing resources at inside.  Is it by default the firewall blocks this?  If not, how to block?

2. In the future if I want certain marketing users from accessing some PCs in inside interface, what I need to do at the firewall?


Pls help.  Thank you.
0
hoggiee
Asked:
hoggiee
  • 3
  • 2
2 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Typically, a business would have a domain and simply restrict access via NTFS permissions.
0
 
calvinetterCommented:
Agree w/ leew - if want to block by *user* & you have a Windows domain, then you'd do this by NTFS & user/group permissions.  However, if you want certain *workstations* (regardless of user) to access certain hosts on the inside network from marketing, see the example below.

>1. I want to prevent users at marketing...
  Yes, by default the PIX blocks traffic originating from less trusted interfaces, in this case 'marketing' (which has a lower security level).  You have to explicitly allow access from less-trusted interfaces.

>2. In the future if I want certain marketing users from accessing...
   If you want certain IPs from the marketing subnet to access certain PCs on the inside subnet...
Example:
  marketing subnet: 10.1.1.0 255.255.255.0
  inside subnet: 192.168.2.0 255.255.255.0
  Here, we'll allow the 2 marketing hosts 10.1.1.2 & 10.1.1.3 to access 192.168.2.10 on the inside interface:

static (inside,marketing) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-list from_marketing permit ip host 10.1.1.2 host 192.168.2.10
access-list from_marketing permit ip host 10.1.1.3 host 192.168.2.10
access-list from_marketing deny ip any 192.168.2.0 255.255.255.0  <- block access to remainder of inside subnet
access-list from_marketing permit ip any any   <-- allow marketing to get to elsewhere, such as Internet
access-group from_marketing in interface marketing
clear xlate

cheers
0
 
hoggieeAuthor Commented:
Thanks guys.  Additionally, can you guys explain in more details how to block the access with the NTFS or user/group permission?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
calvinetterCommented:
If you have a domain, the easiest way is to use security groups.  Simplified example:
- create a "Marketing" security group
- make all marketing staff members of the "Marketing" group
- deny or permit access to certain network shares, printers, etc by permitting or denying access to the "Marketing" group via share & NTFS permissions.

Some URLs to get you started:
  "How To Share Files and Folders Over a Network (Domain) in Windows 2000":
http://support.microsoft.com/default.aspx?scid=kb;en-us;301198&sd=tech
  "How To Configure Security for Files and Folders on a Network (Domain) in Windows 2000":
http://support.microsoft.com/default.aspx?scid=kb;en-us;301195&sd=tech

If you need detailed help with share/NTFS permissions, it would be best to open a new question in either the Networking or Windows Security topic areas.

cheers
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
NEVER DENY ACCESS!!!!! that causes more problems.... DENY overrides PERMIT.  Users have NO ACCESS to files UNLESS they are specifically permitted via group membership or user account being assigned to the resource.  There are only VERY VERY rare circumstances where you want to use DENY - I used to manage a domain of 1000+ users and I can't remember a single instance where I used DENY on permissions for a file share.
0
 
calvinetterCommented:
Agree w/ leew 100%!  Don't specifically deny access to users or groups by setting a "deny" permission on either folders or shares, no matter what Microsoft's documentation tells you! It only creates more headaches than it's worth.  
  Only allow what is needed (& don't leave the default "everyone" having "full control") - if you only allow access to those users/groups that need it, this has an implicit deny for everything else.  I've managed a lot of domains (& still do), & I've never set "deny" for permissions, only removed them from a client's domain that was setup by an inexperienced admin.

cheers
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now