Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 9, Issue 4
From: "Paul Madore" <dexteroc () hotmail com>
Date: Tue, 09 Jan 2007 14:26:49 -0800
On Fri, 2007-01-05 at 14:47 -0800, Paul Madore wrote:I have a PIX 515 running 6.3 with three interfaces including inside,outsideand DMZ. I have a webserver in the DMZ that receives traffic on 80 and443.Currently no traffic can go out of the DMZ to the inside or outside interfaces. My problem is: I want to be able to get out to the internet from the DMZ.Ouch! Be very careful with outbound traffic from the DMZ. You really want to think about this. When servers get compromised, say through a SQL injection or remote script include of sorts, the server will create a connection to the outside so that the hacker can upload hacking tools to the server or get a remote command shell from the server. I see this all too often during pentest. Environments with unrestricted Internet access from the servers/DMZ fall very quickly. I thought everyone got the last refresher of that lesson again when CodeRed was making its rounds back in 2001. Evaluate why you need outbound access. If it is for virus updates, consider pulling updates from internal AV distribution servers instead. Also, DNS and time server requests should go to your own servers. Things like credit card processing of course will have to leave the DMZ to the Internet, but in those cases only allow those servers that need outbound access to only those sites they need to get to. Don't give all servers unrestricted outbound access, or you're asking for trouble. Remember, servers are there to serve, meaning, answering requests. Rarely do they have to establish connections to the outside. Cheers, Frank
Frank, Thank you for pointing that out and it is a very good idea. I do need to have outbound access from the DMZ, there is no way around that but I took your suggestion and limited it to specifically one IP address and I believe it to be a very secure and safe site. Thanks, Paul _________________________________________________________________ Get FREE Web site and company branded e-mail from Microsoft Office Live http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 9, Issue 4 Paul Madore (Jan 10)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? Christine Kronberg (Jan 19)
- Re: How should an Internet connection/firewall be designed? Kaas, David D (Jan 19)
- Re: How should an Internet connection/firewall be designed? Shahin Ansari (Jan 19)
- Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 20)
- Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? John Kougoulos (Jan 18)
- Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
- Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 19)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)