PIX 501 psuedo DMZ and securing an internal|dmz web server

PIX 501 psuedo DMZ and securing an internal|dmz web server
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
PIX 501 psuedo DMZ and securing an internal|dmz web server zii kell 04-06-2007
Posted by zii kell on April 6, 2007, 8:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I intend to run a server behind my pix 501. I would like to allow
packets from the outside interface to it. For this I think I could use this:

1)
!--- define webserver
name 10.9.9.10 webserver1

!--- define an access list to permit incoming connections from the internet
!--- permit incoming to port 80 & 443 for webserver1
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq 443


!--- redirect connections to port 443 to webserver1 standard web port
static (inside,outside) tcp interface 443 webserver1 www netmask
255.255.255.255 0 0
!--- redirect connections to port 80 to webserver1 standard web port
static (inside,outside) tcp interface www webserver1 www netmask
255.255.255.255 0 0


2) However, this also means that if the web server were to be
compromised then the attacker would have access to the internal (inside)
network.

I would like to configure the pix to only:

Allow from other hosts on the inside network only 80 443 22 514(UDP)
inbound and outbound.
Deny everything else out from the server to any one else other than
requests covered in the above ACL. The server ought not to allow
connections that were initiated from it.

The simple way would be to create a DMZ, but the PIX 501 does not have a
dedicated interface for this. Only interface0 (outside) and interface1
(inside). The inside interface is an internal four port switch.

Any clues on how this might work?

Best wishes, z.

Posted by Wolfgang Kueter on April 8, 2007, 8:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
zii kell wrote:

> [...]
> The simple way would be to create a DMZ, but the PIX 501 does not have a
> dedicated interface for this. Only interface0 (outside) and interface1
> (inside). The inside interface is an internal four port switch.
>
> Any clues on how this might work?

Well, if a device does not offer enough physical interfaces normally one
would use VLANs (of course a switch that supports VLANs must be used in
that case). Unfortunately though the Pix from PIXOs version 6.3 upwards
supports VLANs the PIX 501 (which is a classic SOHO model and therefore is
not intended to be used for bigger installations) does not.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

Solution: Either get a bigger PIX or use something else. Alternatives from
other vendors like Clavister, Fortigate, Netscreen/Juniper etc. do exist.

Wolfgang


Similar ThreadsPosted
SQL Connection to internal Private IP Server November 10, 2004, 6:03 pm
Protecting internal MS Certificate Server with Firewall1 NG FP3 May 11, 2005, 12:29 am
Route Multiple Internet IP addresses to internal web server.. Need help.. January 9, 2006, 12:50 pm
Question on internal/external IPs December 10, 2004, 2:18 pm
firewall in internal network August 7, 2005, 3:35 pm
Is this possible : filter an internal network September 14, 2005, 8:38 am
External/DMZ/Internal with two firewalls? March 22, 2006, 7:45 am
Game Server & Voice Server March 26, 2007, 1:32 pm
internal firewall suggestions required May 11, 2005, 5:31 am
cisco pix 515 outside ping to internal hosts September 14, 2005, 9:26 pm

The site map in XML format XML site map

Contact Us | Privacy Policy