--===============1005191417==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-4zqrZ1WZImBD2Eq1tOsS"


--=-4zqrZ1WZImBD2Eq1tOsS
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2007-01-05 at 14:47 -0800, Paul Madore wrote:
> I have a PIX 515 running 6.3 with three interfaces including inside, outs=

ide=20
> and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 4=

43.=20
> Currently no traffic can go out of the DMZ to the inside or outside=20
> interfaces. My problem is: I want to be able to get out to the internet=20
> from the DMZ.=20


Ouch! Be very careful with outbound traffic from the DMZ. You really
want to think about this. When servers get compromised, say through a
SQL injection or remote script include of sorts, the server will create
a connection to the outside so that the hacker can upload hacking tools
to the server or get a remote command shell from the server.

I see this all too often during pentest. Environments with unrestricted
Internet access from the servers/DMZ fall very quickly. I thought
everyone got the last refresher of that lesson again when CodeRed was
making its rounds back in 2001.

Evaluate why you need outbound access. If it is for virus updates,
consider pulling updates from internal AV distribution servers instead.
Also, DNS and time server requests should go to your own servers. Things
like credit card processing of course will have to leave the DMZ to the
Internet, but in those cases only allow those servers that need outbound
access to only those sites they need to get to. Don't give all servers
unrestricted outbound access, or you're asking for trouble.

Remember, servers are there to serve, meaning, answering requests.
Rarely do they have to establish connections to the outside.

Cheers,
Frank


--=20
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.


--=-4zqrZ1WZImBD2Eq1tOsS
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBFon2bjt2fjCi9PsERApG4AJ0U3GiQ9FPpd0FSIrZU+m MJfbZbHQCfbHup
aLrzVXDObB2yp9JvfTzeuv4=
=wVRA
-----END PGP SIGNATURE-----

--=-4zqrZ1WZImBD2Eq1tOsS--


--===============1005191417==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1005191417==--