Help! PIX 515, DMZ, and Router advice needed.

Help! PIX 515, DMZ, and Router advice needed.

Post by John » Tue, 31 Jul 2001 23:32:05



Hi

I need some advice on installing a Pix 515-R firewall w/3 interfaces into a
network with 4 Routers (Cisco 2600).  One router is used for Internet and
the other three belong to third parties that deliver information services to
us (Investment Firm). All users currently have the Internet router
(10.5.1.1) as the default gateway and that router has routes to the other
three routers which are inside our network with private IP addresses
(10.x.x.x).  The problem I have is that unlike the Cisco 2600, the PIX will
not route packets to the same interface they came in on.  Since the PIX sits
between the network and the Cisco Router this is a problem.  So, is it
correct to put these third party routers on the DMZ?  or should I be doing
something else?  What is the best way to handle this?

John

 
 
 

Help! PIX 515, DMZ, and Router advice needed.

Post by Jeff » Wed, 01 Aug 2001 10:28:45


Most folks put each customer on different pix interfaces (but more NIC's) and
ensure that they can't talk to each other.  Otherwise, it's a security risk for
the
three companies.

HTH
Jeff


> Hi

> I need some advice on installing a Pix 515-R firewall w/3 interfaces into a
> network with 4 Routers (Cisco 2600).  One router is used for Internet and
> the other three belong to third parties that deliver information services to
> us (Investment Firm). All users currently have the Internet router
> (10.5.1.1) as the default gateway and that router has routes to the other
> three routers which are inside our network with private IP addresses
> (10.x.x.x).  The problem I have is that unlike the Cisco 2600, the PIX will
> not route packets to the same interface they came in on.  Since the PIX sits
> between the network and the Cisco Router this is a problem.  So, is it
> correct to put these third party routers on the DMZ?  or should I be doing
> something else?  What is the best way to handle this?

> John


 
 
 

Help! PIX 515, DMZ, and Router advice needed.

Post by Ian » Thu, 02 Aug 2001 00:04:47


John,

The info services (Reuters, Bloomberg, etc I assume) are used to protecting
themselves from each other.  The standard way to do this is to have your
users on one firewall i/f (inside), the Internet on another (outside), and
everyone else off another (dmz).  You're responsibility is to protect your
users, although connecting contracted service providers directly to the
Internet would be a bit irresponsible.

If you need to provide services to the Internet (www, etc) you'll need a
fourth firewall i/f (ie 2nd dmz).  An SMTP host fits in to this category.

HTH, good luck,
Ian
--


> Most folks put each customer on different pix interfaces (but more NIC's)
and
> ensure that they can't talk to each other.  Otherwise, it's a security
risk for
> the
> three companies.

> HTH
> Jeff


> > Hi

> > I need some advice on installing a Pix 515-R firewall w/3 interfaces
into a
> > network with 4 Routers (Cisco 2600).  One router is used for Internet
and
> > the other three belong to third parties that deliver information
services to
> > us (Investment Firm). All users currently have the Internet router
> > (10.5.1.1) as the default gateway and that router has routes to the
other
> > three routers which are inside our network with private IP addresses
> > (10.x.x.x).  The problem I have is that unlike the Cisco 2600, the PIX
will
> > not route packets to the same interface they came in on.  Since the PIX
sits
> > between the network and the Cisco Router this is a problem.  So, is it
> > correct to put these third party routers on the DMZ?  or should I be
doing
> > something else?  What is the best way to handle this?

> > John

 
 
 

Help! PIX 515, DMZ, and Router advice needed.

Post by Joh » Thu, 02 Aug 2001 03:01:12


Hi Ian

You mendioned needing a 2nd DMZ for providing Internet services.
Well, I'm installing a terminal server and my file and print server is
also an Exchange server using SMTP.  Will I have a problem keeping the
Exchange server on the Inside interface? and will I have a problem
putting the terminal server on the same DMZ as the three routers?

Thanks
John

On Tue, 31 Jul 2001 16:04:47 +0100, "Ian M"


>John,

>The info services (Reuters, Bloomberg, etc I assume) are used to protecting
>themselves from each other.  The standard way to do this is to have your
>users on one firewall i/f (inside), the Internet on another (outside), and
>everyone else off another (dmz).  You're responsibility is to protect your
>users, although connecting contracted service providers directly to the
>Internet would be a bit irresponsible.

>If you need to provide services to the Internet (www, etc) you'll need a
>fourth firewall i/f (ie 2nd dmz).  An SMTP host fits in to this category.

>HTH, good luck,
>Ian

 
 
 

Help! PIX 515, DMZ, and Router advice needed.

Post by Walter Robers » Thu, 02 Aug 2001 03:11:25



:You mendioned needing a 2nd DMZ for providing Internet services.
:Well, I'm installing a terminal server and my file and print server is
:also an Exchange server using SMTP.  Will I have a problem keeping the
:Exchange server on the Inside interface? and will I have a problem
:putting the terminal server on the same DMZ as the three routers?

If the Exchange server communicates with the outside world via SMTP
only, then there is no -technical- difficulty in having it on an inside
or DMZ interface. If, though, it is a member of a distributed cluster
of Exchange servers, especially it is being layered on NT/W2K domain
authentication, then it will have fits if you try to NAT it
[because the PDCs will try to send the raw addresses to each other
in data packets...]

Technical problems aside, it is more -secure- to not have any servers
on your inside interface. The issue here is that if someone compromises
your server (e.g., buffer overflow in Exchange or IIS), then if it
is on your inside interface, the attackers gain transitive access
to your internal network. It is better if your servers are on a lower
security interface (DMZ) and can only respond to requests from your
inside network instead of being able to initiate messages to your
inside network.

 
 
 

Help! PIX 515, DMZ, and Router advice needed.

Post by Joh » Thu, 02 Aug 2001 05:07:21


Hi Walter

Thanks for responding, I'm breathing easier now.  Any thoughts on
putting the terminal server and the three routers on the same DMZ?
Also, the Exchange server runs Outlook Web Access, any issues with
that?   thanks again.  John





>:You mendioned needing a 2nd DMZ for providing Internet services.
>:Well, I'm installing a terminal server and my file and print server is
>:also an Exchange server using SMTP.  Will I have a problem keeping the
>:Exchange server on the Inside interface? and will I have a problem
>:putting the terminal server on the same DMZ as the three routers?

>If the Exchange server communicates with the outside world via SMTP
>only, then there is no -technical- difficulty in having it on an inside
>or DMZ interface. If, though, it is a member of a distributed cluster
>of Exchange servers, especially it is being layered on NT/W2K domain
>authentication, then it will have fits if you try to NAT it
>[because the PDCs will try to send the raw addresses to each other
>in data packets...]

>Technical problems aside, it is more -secure- to not have any servers
>on your inside interface. The issue here is that if someone compromises
>your server (e.g., buffer overflow in Exchange or IIS), then if it
>is on your inside interface, the attackers gain transitive access
>to your internal network. It is better if your servers are on a lower
>security interface (DMZ) and can only respond to requests from your
>inside network instead of being able to initiate messages to your
>inside network.

 
 
 

Help! PIX 515, DMZ, and Router advice needed.

Post by Ian » Thu, 02 Aug 2001 20:55:56


John,

The conventional design wisdom, for sensible security, is that _nobody_
should be able to initiate a connection from outside to inside.  If
outsiders need to get at something, you put it in the DMZ.  Because of how
SMTP works this would prohibit you receiving any email (the sender basically
telnets on port 25 to the receiver), bet that'd make you popular.  Sometimes
people open TCP 25 directly to the internal mail-server, but as Walter
pointed out, that leaves you open to other attacks.

The answer here is to open TCP 25 from your MX to an SMTP server (mail
forwarder) in your dmz, open only TCP 25 from this to your Exchange server,
and have this extra box forward all SMTP to your internal Exchange server.
That way if someone breaks into the mail-forwarder they're still not in your
network.  This can be just a bare Linux running sendmail (ie free), or if
you use a virus-scanner like MailSweeper you can put it here (make sure it
doesn't paticipate in your internal domain-security).

For Terminal Server, if this is for RAS (ie your own users getting at
internal resources via VPN from the Internet) then putting the TS in the dmz
buys you nothing as the client-TS (or at least client-firewall) channel will
be encrypted and the clients will be authenticated anyway.  Plus you then
have to open virtually all ports from the TS box in the dmz to the internal
network (ie nullify the pupose of the dmz).  The most reasonable way is to
permit VPN clients (from the Internet) to reach an _internal_ TS.  If
however the TS is for external users (maybe providing info to outside
clients) then put it, _and_ all it needs to reach, in the dmz.

The reason for two dmzs is that you don't want networks controlled by others
to have access to any of your servers (even bare utilitarian ones like a
mail-forwarder) without a means to audit the traffic.  Put your info
suppliers' routers on one, and your servers on another.  Needless to say,
your _real_ servers, the ones your internal clients connect to, always stay
inside.

I'm familiar with your situation.  An investment bank will just want it
done, NOW.  But probably won't see any reason to spend money on security.
Believe me, when you get broken into, it _will be your fault_.  I once had a
client who couldn't see any reason to spend 80k to protect 8billion (yes,
that's billion with a 'b').  If whoever controls your budget is not
impressed with the mail argument, use his laptop to dial an ISP, open a
DOS-box, and type 'telnet mail.company.com (your address there) 25', and
watch his face as he gets a command-line on your Exchange server.  I've
found it reasonably effective.  And mention auditors, he'll always be afraid
of those.

HTH.  Keep posting if you've got any more questions,
Ian
--


> Hi Walter

> Thanks for responding, I'm breathing easier now.  Any thoughts on
> putting the terminal server and the three routers on the same DMZ?
> Also, the Exchange server runs Outlook Web Access, any issues with
> that?   thanks again.  John





> >:You mendioned needing a 2nd DMZ for providing Internet services.
> >:Well, I'm installing a terminal server and my file and print server is
> >:also an Exchange server using SMTP.  Will I have a problem keeping the
> >:Exchange server on the Inside interface? and will I have a problem
> >:putting the terminal server on the same DMZ as the three routers?

> >If the Exchange server communicates with the outside world via SMTP
> >only, then there is no -technical- difficulty in having it on an inside
> >or DMZ interface. If, though, it is a member of a distributed cluster
> >of Exchange servers, especially it is being layered on NT/W2K domain
> >authentication, then it will have fits if you try to NAT it
> >[because the PDCs will try to send the raw addresses to each other
> >in data packets...]

> >Technical problems aside, it is more -secure- to not have any servers
> >on your inside interface. The issue here is that if someone compromises
> >your server (e.g., buffer overflow in Exchange or IIS), then if it
> >is on your inside interface, the attackers gain transitive access
> >to your internal network. It is better if your servers are on a lower
> >security interface (DMZ) and can only respond to requests from your
> >inside network instead of being able to initiate messages to your
> >inside network.

 
 
 

1. PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC?

We currently have a Point to point T1 connecting 2 Offices and are thinking
about upgrading the remote office to a 3 Meg internet Connection and having
it connect to the HQ's 6 Meg Internet connection.   HQ currently has a PIX
515 and runs about 5 Home Office Point to Point IPSec VPN connections and a
half dozen or so IPSec VPN Clients.

We were thinking of adding a Pix 515 to the remote office and have it Point
to Point IPSec VPN into HQ.  The Remote office has in it 6-12 people at any
one time, and 1/2 of them use the connection to get to data at HQ and the
other half is the internet. Should I bother with adding a VPN Accelerator
Card (VAC) to the HQ PIX, should I add one to Both?  at $3000 each, its a
pretty steep investment.

Does anybody know at what point you want to use the VAC in terms of users
and throughput?

Thanks,
  Scott<-

2. beginner quesiton, DOM

3. Cisco PIX 515 UR w/ 6x FE $3995 PIX 515 UR $3495

4. "region is not active now" message

5. how to config 515-e-dmz dmz routes & ACL?

6. mitsumi cdrom frustration

7. pix 515 connect from DMZ to INSIDE on tcp 1521

8. IIc buttons above keyboard?

9. Config PIX 515 for OWA server on dmz

10. Exchange in DMZ - Pix 515

11. Implicit ftp over ssl port 990 to dmz in pix 515

12. NAT from DMZ to inside on PIX 515

13. PIX 515: Can't telnet from DMZ--->INSIDE