Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

Allowing port 80 out from DMZ - PIX 515

I have a PIX 515 with web servers on the DMZ interface.  I thought I understood that if you if the inside int has security setting of 100 and the DMZ is at 50 and the Outside is at 0 then the PIX should allow traffic to flow between high level ints to low level automatically.  My problem is that our web servers allow traffic in from the outside but if I try to get to the internet from one of the web servers I can't get there.  Obviously if I add a rule to allow DMZ access to any on port 80 it works, and I've tested that.
I'm looking for a couple answers on this.
1. Does the high to low default traffic not really apply here?
2. Is it considered correct to allow 80 traffic if any out from the DMZ to Outside?  Would a seasoned Network Admin laugh at me for doing it?
0
jchri66
Asked:
jchri66
  • 3
  • 2
2 Solutions
 
grbladesCommented:
1) No it does apply
2) Best to avoid it if you can but most cases you need it for updates etc...

What I suspect is that in the PIX configuration you have 'static' commands with the port numbers listed. Therefore only traffic over these ports get translated. Therefore when the web server tries to access the outside there is no NAT rule and so no connection. There are two ways around this :-

1) Change the static commands to not mention the port numbers. This way you have a fixed translation from an external IP address to a DMZ IP address. Its good for mail servers where the server will be initiating lots of traffic to outside but it does mean you have to dedicate an outside address for each DMZ machine.

2) Define a 'nat (dmz) 1 xx.xx.xx.xxx 255.255.255.0' or similar so there is a default NAT rule for machines in the DMZ.
0
 
lrmooreCommented:
1. It only applies if you do not have any acl applied to the interface. Every applied acl has an implied "deny all" at the end. As soon as you apply an acl to the dmz interface the rules change.

2. There is a reason that Microsoft locks down the browser on server platforms. It is not a good idea to use a server to browse the internet. However, there are times when it is absolutely needed. Particularly https to get to Microsoft for updates and downloads.
 
0
 
jchri66Author Commented:
This would be so the web site can access a process from a credit card authorizer.  So our website needs to be able to access a certain URL to get a YES or NO from this 3rd party site.  If I can get the IP for the 3rd party website I can just add a rule to only allow port 80 and 443 to that IP only correct?  
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
grbladesCommented:
Yes correct. That would be the best thing to do.
So you are using a 3rd party to perform the dredit card authorisation and you are not storing the credit card number in any way?
0
 
jchri66Author Commented:
From what the development team is telling me that is correct.
0
 
grbladesCommented:
Thats fine then. There is a standard called PCI DSS you need to comply to if you store credit card information but as you dont it makes it much simpler for you.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now