Solved

Configuration advice

Posted on 2006-11-11
5
205 Views
Last Modified: 2013-11-16
Business model:
Our startup company has licensee's who license our software. The data they collect with our software is our intellectual property per our license agreement.

Requirement:
We need to collect licensee's data  and copy to our databases which gives the licensees as a whole a greater chance to help clients, due to a bigger database.

I want to set it up like a secure web server topology...using cisco vpn and pix firewall since i already have that in place. I will just make a 2nd vpn group per what i want. However its not really a web server, only the licensee's will have access via vpn. The only way they get our software is by us putting it on a computer and giving them the computer. I am going to set up Cisco vpn client on these boxes (image) so they have to do very little. We may just have an icon they can use that just runs a script to just copy everything over after they connect the vpn.

topology:
[License uses cisco vpn client to connect]------> [to "External_PIX" - vpn group only allowed here]-----> ['web server' they drop their data on]---connected to -----> ["Internal_PIX" ]---->[private network]

Would it be more secure to use different networks and nat each side of both pix's? how do i only allow external vpn to just the one box while still only allowing legit traffic to our internal network? Is it better to have a different internet connection for each pix. If so that would be ok, i have a couple global ip's to use and i already have our internet plugged into a little switch so our wireless and internal net use different global ip's.  please advise me on some of the most secure best practices in accomplishing what i'm trying to do. Thanks in advance. i will ask as many questions to give as many points required to get this all done.
0
Comment
Question by:jaysonfranklin
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
bugsaif earned 250 total points
ID: 17924213
>>Would it be more secure to use different networks and nat each side of both pix's?
Depending on what model of the PIX you have, you may be able to achieve what you want with a single PIX. Are two PIXs more secure than one? Not really... You'll just have to configure 2 PIXs.

>>how do i only allow external vpn to just the one box while still only allowing legit traffic to our internal network?
Through statics and access lists ofcourse... :) easily done.

>>Is it better to have a different internet connection for each pix.
For load-balancing, probably. From a security point of view, you should depend more on you own internal network security measures regardless of how many entry points you have to your network. One is quite enough.

>>If so that would be ok, i have a couple global ip's to use and i already have our internet plugged into a little switch so our wireless and internal net use different global ip's.
Hopefully that little switch connected to the internet is behind the PIX.

>>please advise me on some of the most secure best practices in accomplishing what i'm trying to do.
What you probably want is the very typical Inside, Outside and DMZ setup. Each network segment is a different network. Your webserver(s) are in the DMZ. Clients connect in on the outside and once authenticated are given a secure channel to the webserver and only the webserver in the DMZ. The PIX can be setup to keep all networks connected to it as disconnected or as transparent as you desire.

Hope that helps...
Saif
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 250 total points
ID: 17924231
>Would it be more secure to use different networks and nat each side of both pix's?
   Doing double NAT isn't more secure, it's just a major headache for changing configurations & troubleshooting, especially if VPN is involved.  You control your traffic via ACLs & the PIX's built-in behavior, not via NAT.

  Just to confirm - in your topology, is the 'web server' going to be sandwiched between the external & internal PIXes? (ie, essentially in a DMZ?)

>how do i only allow external vpn to just the one box while still only allowing legit traffic to our internal network?
   The simplest way is to tighten up your "crypto ACLs".  After all, they're ACLs, & thus you can specify certain protocols, ports, IPs, etc.  If you want the VPN users to be only able to connect via HTTP & HTTPS to your web server, you can make the crypto ACL very specific.  eg:
*VPN pool: 10.1.1.0/24
*Internal web server IP: 172.16.9.9
access-list nonat permit tcp host 172.16.9.9 eq 80 10.1.1.0 255.255.255.0
access-list nonat permit tcp host 172.16.9.9 eq 443 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat

>Is it better to have a different internet connection for each pix.
   Not necessary & not really a good idea.  It's best to have a single entry/choke point, simpler & easier to manage.

Agree with Saif (I think we're thinking the same on this point) -> Even though this web server is supposed to be accessed by only your licensees, you should consider it a 'public' server & treat it as such:  place it in a different subnet (DMZ) from your internal networks, & tightly control what goes into/out from the DMZ.

cheers
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17925577
Great. That is what i will do then. We only have one pix at the moment so i was planning on asking for another when we start this project. With what is stated above, I will now just place the new licensee server in the dmz.  I believe our pix only has two ethernets on it though. we would have to buy a third card for the dmz right? my boss and i were just thinking that it would be more secure with two and i was trying to get an idea of how i was going to do the configuration. For what i am trying to do, is it possible to only allow the ipsec traffic to the dmz server which would allow the data to be copied to that box. then, how could i retrieve that data safely ? if i put a route to go there, would it be possible to hack from that server to our inside? Thanks very much for all the guidance.

I was going to give bugsaif the majority of the points since he got here first with the answer. Since there is obviously only one answer for each of my questions, calvinetter kinda said the same things...but gave some more detail on the subjects which was also great.

What do you think is a fair way to divide the points? 300 \ 200 or 250 \ 250 i dont want to step on anyones toes or hinder myself from your guys's knowledge. Thanks again for all your help.
0
 
LVL 3

Expert Comment

by:bugsaif
ID: 17926062
>>We would have to buy a third card for the dmz right?

Yup, the easiest route would be a 3rd interface for the DMZ, though you could do it with your current PIX and subinterfaces. But I'd stick with a 3rd interface for the DMZ solution.

>>My boss and i were just thinking that it would be more secure with two and i was trying to get an idea of how i was going to do the configuration.

There are loads of docs and guides out there for this kind of set up. Just google it. If you still have questions, just post them here one at a time.

>>For what i am trying to do, is it possible to only allow the ipsec traffic to the dmz server which would allow the data to be copied to that box. then, how could i retrieve that data safely ?

The PIX allows for very granular traffic control. The simplest setup you're looking for would involve your VPN clients being handed out IP addresses from a seperate pool and then setting up an access list that allows for access to your server(s) in the DMZ from specific IPs, on specific ports to specific IPs to specific ports. With access lists there's an implict deny at the end... which basically means that if you don't explicitly allow it... it is denied... so they won't be able to go anywhere else.

>if i put a route to go there, would it be possible to hack from that server to our inside?

Is it possible? Sure it is... but is it probable? Unlikely. If you setup your access lists properly the chances that a break in to the DMZ will lead to a break in to the inside can be minimized. The PIX won't allow any traffic that you do not permit.

>What do you think is a fair way to divide the points? 300 \ 200 or 250 \ 250.

I'm good with 50/50

Saif
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17926162
Super..here you go.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now