>On Fri, 2007-01-05 at 14:47 -0800, Paul Madore wrote:
> > I have a PIX 515 running 6.3 with three interfaces including inside,

> > and DMZ. I have a webserver in the DMZ that receives traffic on 80 and

> > Currently no traffic can go out of the DMZ to the inside or outside
> > interfaces. My problem is: I want to be able to get out to the internet
> > from the DMZ.

>Ouch! Be very careful with outbound traffic from the DMZ. You really
>want to think about this. When servers get compromised, say through a
>SQL injection or remote script include of sorts, the server will create
>a connection to the outside so that the hacker can upload hacking tools
>to the server or get a remote command shell from the server.
>I see this all too often during pentest. Environments with unrestricted
>Internet access from the servers/DMZ fall very quickly. I thought
>everyone got the last refresher of that lesson again when CodeRed was
>making its rounds back in 2001.
>Evaluate why you need outbound access. If it is for virus updates,
>consider pulling updates from internal AV distribution servers instead.
>Also, DNS and time server requests should go to your own servers. Things
>like credit card processing of course will have to leave the DMZ to the
>Internet, but in those cases only allow those servers that need outbound
>access to only those sites they need to get to. Don't give all servers
>unrestricted outbound access, or you're asking for trouble.
>Remember, servers are there to serve, meaning, answering requests.
>Rarely do they have to establish connections to the outside.


Thank you for pointing that out and it is a very good idea. I do need to
have outbound access from the DMZ, there is no way around that but I took
your suggestion and limited it to specifically one IP address and I believe
it to be a very secure and safe site.



__________________________________________________ _______________
Get FREE Web site and company branded e-mail from Microsoft Office Live

firewall-wizards mailing list