PIX 501 psuedo DMZ and securing an internal|dmz web server - Firewalls

This is a discussion on PIX 501 psuedo DMZ and securing an internal|dmz web server - Firewalls ; I intend to run a server behind my pix 501. I would like to allow packets from the outside interface to it. For this I think I could use this: 1) !--- define webserver name 10.9.9.10 webserver1 !--- define an ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: PIX 501 psuedo DMZ and securing an internal|dmz web server

  1. PIX 501 psuedo DMZ and securing an internal|dmz web server

    I intend to run a server behind my pix 501. I would like to allow
    packets from the outside interface to it. For this I think I could use this:

    1)
    !--- define webserver
    name 10.9.9.10 webserver1

    !--- define an access list to permit incoming connections from the internet
    !--- permit incoming to port 80 & 443 for webserver1
    access-list outside_in permit tcp any any eq www
    access-list outside_in permit tcp any any eq 443


    !--- redirect connections to port 443 to webserver1 standard web port
    static (inside,outside) tcp interface 443 webserver1 www netmask
    255.255.255.255 0 0
    !--- redirect connections to port 80 to webserver1 standard web port
    static (inside,outside) tcp interface www webserver1 www netmask
    255.255.255.255 0 0


    2) However, this also means that if the web server were to be
    compromised then the attacker would have access to the internal (inside)
    network.

    I would like to configure the pix to only:

    Allow from other hosts on the inside network only 80 443 22 514(UDP)
    inbound and outbound.
    Deny everything else out from the server to any one else other than
    requests covered in the above ACL. The server ought not to allow
    connections that were initiated from it.

    The simple way would be to create a DMZ, but the PIX 501 does not have a
    dedicated interface for this. Only interface0 (outside) and interface1
    (inside). The inside interface is an internal four port switch.

    Any clues on how this might work?

    Best wishes, z.

  2. Re: PIX 501 psuedo DMZ and securing an internal|dmz web server

    zii kell wrote:

    > [...]
    > The simple way would be to create a DMZ, but the PIX 501 does not have a
    > dedicated interface for this. Only interface0 (outside) and interface1
    > (inside). The inside interface is an internal four port switch.
    >
    > Any clues on how this might work?


    Well, if a device does not offer enough physical interfaces normally one
    would use VLANs (of course a switch that supports VLANs must be used in
    that case). Unfortunately though the Pix from PIXOs version 6.3 upwards
    supports VLANs the PIX 501 (which is a classic SOHO model and therefore is
    not intended to be used for bigger installations) does not.

    http://www.cisco.com/en/US/products/...html#wp1113411

    Solution: Either get a bigger PIX or use something else. Alternatives from
    other vendors like Clavister, Fortigate, Netscreen/Juniper etc. do exist.

    Wolfgang


+ Reply to Thread