Firewall Wizards mailing list archives

Re: firewall-wizards Digest, Vol 9, Issue 4

From: "Paul Madore" <dexteroc () hotmail com>
Date: Tue, 09 Jan 2007 14:26:49 -0800

On Fri, 2007-01-05 at 14:47 -0800, Paul Madore wrote:

I have a PIX 515 running 6.3 with three interfaces including inside,

outside

and DMZ.  I have a webserver in the DMZ that receives traffic on 80 and

443.

  Currently no traffic can go out of the DMZ to the inside or outside
interfaces.  My problem is: I want to be able to get out to the internet
from the DMZ.


Ouch! Be very careful with outbound traffic from the DMZ. You really
want to think about this. When servers get compromised, say through a
SQL injection or remote script include of sorts, the server will create
a connection to the outside so that the hacker can upload hacking tools
to the server or get a remote command shell from the server.

I see this all too often during pentest. Environments with unrestricted
Internet access from the servers/DMZ fall very quickly. I thought
everyone got the last refresher of that lesson again when CodeRed was
making its rounds back in 2001.

Evaluate why you need outbound access. If it is for virus updates,
consider pulling updates from internal AV distribution servers instead.
Also, DNS and time server requests should go to your own servers. Things
like credit card processing of course will have to leave the DMZ to the
Internet, but in those cases only allow those servers that need outbound
access to only those sites they need to get to. Don't give all servers
unrestricted outbound access, or you're asking for trouble.

Remember, servers are there to serve, meaning, answering requests.
Rarely do they have to establish connections to the outside.

Cheers,
Frank



Frank,

Thank you for pointing that out and it is a very good idea.  I do need to 
have outbound access from the DMZ, there is no way around that but I took 
your suggestion and limited it to specifically one IP address and I believe 
it to be a very secure and safe site.

Thanks,

Paul

_________________________________________________________________
Get FREE Web site and company branded e-mail from Microsoft Office Live 
http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: firewall-wizards Digest, Vol 9, Issue 4 Paul Madore (Jan 10)
- How should an Internet connection/firewall be designed? Kaas, David D (Jan 18)
  - Re: How should an Internet connection/firewall be designed? AMuse (Jan 18)
    - Re: How should an Internet connection/firewall be designed? Christine Kronberg (Jan 19)
    - Re: How should an Internet connection/firewall be designed? Kaas, David D (Jan 19)
    - Re: How should an Internet connection/firewall be designed? Shahin Ansari (Jan 19)
    - Re: How should an Internet connection/firewall be designed? R. DuFresne (Jan 20)
  - Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
  - Re: How should an Internet connection/firewall be designed? John Kougoulos (Jan 18)
    - Re: How should an Internet connection/firewall be designed? ArkanoiD (Jan 18)
  - Re: How should an Internet connection/firewall be designed? Dave Piscitello (Jan 19)

(Thread continues...)