Solved

Allowing DMZ to get WIndows Updates

Posted on 2007-11-30
11
1,834 Views
Last Modified: 2010-08-05
Have a PIX 515e, I need the web servers on the DMZ to get to the windows update site.  I know how to open the servers to an outside IP but I don't know all the IPs, URLs and ports involved in the site process.  I was successful in adding a couple IPs and and allowed 80/443 to them, got to the sites but IE is erroring out.  One possiblity is that a previous admin "hardened" the OSs with leaving any documentation on what he did, but that is a different problem for a different post.
So what I'm looking for is a need in enable to allow the DMZ web servers out to the Internet sites or another possiblity is what do I need to allow them in to access the WSUS server.  I also added a rule for 80/443 and modified the reg to point to the WSUS server without any checkin.    
0
Comment
Question by:jchri66
  • 5
  • 3
  • 3
11 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20384544
 Hi jchri66
       I think something wrong with firewall architecturing. DMZ (Demilitarized Zone) is an interface, which should have a greater security level than outside interface, and in your case, that you have web server in DMZ, scenario fits. And by default, traffic from higher security leveld interface to lower one is permitted, unless the outgoing traffic is blocked manually. Please post the output of  sh run access-group  and  the acl which belongs to DMZ

access-group xxx in interface DMZ or
access-group xxx out interface DMZ
sh run access-list xxx

Regards
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20384566
also please post the output of
sh run int
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20384828
if you allow 80/443, you should be fine. after posting the info MrHusy is looking for I'd say run wireshark on the server as well and see if you can find any other ports its trying to use.  sure its not a DNS not being allowed issue?
0
 
LVL 1

Author Comment

by:jchri66
ID: 20385650
Currently the web servers can't talk to the outside because I haven't created a rule for them.  But I guess I'm trying to figure out how to allow access to the Microsoft update site when I need to specify an IP address for windows update in order to lock down what I'm opening up.  So in other words I don't want this box to be open to everything outgoing on the Internet on port 80/443, just to have access to the Microsoft update site.  
For example, one of our web servers needed access to https://secure.authorize.net in order to query for credit card approvals.  I resolved the URL to an IP and was able to open a hole to that IP on 443 only for the that web server.  So the Web server can't get to anything else on 443 just that site on that IP.  Following this example I want to do the same thing but to the Microsoft site but I don't know all the URLs to make sure I've opening enough up for them.
Unless there is a better way to do it......
Also, I have been successful in allowing the Web server to gain access to the WSUS server on the inside so this will solve the problem of getting it updated now but when you want to get a Windows server up to date quickly the outside Windows site is much more efficient so I would like to still explore the solution on the PIX.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 300 total points
ID: 20385990
its kind of a pain.  the last time it took me a while to find them thru using wireshark and seeing which ip the server connected to.  each time there was a new one, I added it to the object-group.  The last I had before I gave up and just opened it up is:

object-group network ms-update-servers
 network-object 64.4.23.157 255.255.255.255
 network-object 207.46.253.125 255.255.255.255
 network-object 64.4.21.189 255.255.255.255
 network-object 207.46.198.93 255.255.255.255
 network-object 64.4.21.93 255.255.255.255
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 200 total points
ID: 20386090
   First of all, of course you can apply restrictions to outgoing traffic in PIX, but PIX's primary objective is being a firewall. Personally, I dont recommend using PIX for filtering. But here are some possible solutions.
    *The URL you should allow for updates is http://*.update.microsoft.com  and http://*.windowsupdate.microsoft.com  . But PIX does not support URL based ACLs. So you can ping update.microsoft.com and windowsupdate.microsoft.com , then apply permit acls on the IPs you get from pings
    *Integrate websense with PIX and let it do filtering in collaboration with PIX. You can filter anything you want
    Let me share a Microsoft experience of mine.
    "one of our web servers needed access to https://secure.authorize.net in order to query for credit card approvals" so these web servers are in production and they are mission critical. Did you know that an update can cause your server to malfunction? Blue Screen? . Yes it does. In my server farm, windows updates are "never" applied without being tested on test servers. WSUS controls everything, you choose the update you want to allow and etc. This is patch management.  I strictly recommend you to go on using WSUS

Regards
     
0
 
LVL 1

Author Comment

by:jchri66
ID: 20386875
We already went through the process of updating the various development environments to test and this is the last step to get production in place.  I remember our Network guy at my last job pulled his hair out while he was in the process of doing this, but this time I'm the network guy so I'm just trying to get this to work with what I have.  I just wanted to make sure I was doing the right thing or going in the right direction, also was looking for more information like Cy just posted or information on a better way to do it with what I have.
0
 
LVL 1

Author Comment

by:jchri66
ID: 20386879
Cy, so when you said you "opened it up" what actually did you do?  I don't have a problem opening them up for a brief period to update and then closing the rule.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20388258
allowed 80/443 regardless of server trying to reach.  however this was partly due to other servers on the dmz (linux) needing access to other web servers for updates due to the daemons they were running (e.g. clamav).  basically just got lazy and opened it up.

however the list I gave you is of when I quit detecting IPs.  Doing wireshark captures on the dmz server will tell you the IP of any other servers its trying to connect to; find them and add them.

Although I agree with MrHusy and you should have a WSUS local to your shop to better control over patches, if you're like me you don't have the time so you kind of use it as a cache so hosts are downloading them locally instead of taking up bandwidth and just delay the deployment in case one of the drivers hits the news that its causes problems.  Regardless, if you wanted it locked down you'd still need your list of MS servers on the firewall.

but remember to you an object-group like I did in my previous post, it makes it far easier adding servers to the list down the road.
0
 
LVL 1

Author Comment

by:jchri66
ID: 20390395
I did go ahead and update the box through the WSUS.  My main problem in the beginning with going with WSUS was that we installed it to require a port other 80 so I had to open that up.  Just used wuauclt /detectnow to get through all the updates.  Knew I could do it that way it's just a pain especially since the MS update site will update more patches at once before a reboot.  I do know that as of a week ago, after SP2 on 2003 there are 22 patches and the update site will get them all in one shot.  WSUS made me reboot 3 times running detectnow to force.
Anyway, I'll give MrHusy 200 points for agreeing to go with WSUS since that was ultimately what I went with, but I'll give Cy 300 because you did answer my main question about how to go about doing it the other way through the outside on the PIX.  My skill on the PIX is medium at best so every question I get answered on it helps my understanding in other areas of that hardware.
0
 
LVL 1

Author Closing Comment

by:jchri66
ID: 31411998
Really wanted an answer on the PIX solution, but sometimes there is a better and quicker way to get the job done.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now