PIX ASA : Need to setup a server in a DMZ such that
in [Cisco]
|
From: Tilman Schmidt on 27 Mar 2010 19:11 Am 26.03.2010 20:11 schrieb barret bonden: > Need to setup a web server in a DMZ such that > 1) computers on the INSIDE interface can , on a microsoft LAN, browse to and > copy files FROM the server in the DMZ to themselves in the inside > 2) If the server in the DMZ is hacked it will prevent attack on the inside > computers. > > > I need to: > 1) know this is possible > 2) be pointed to instructions on how to set this up > 3) understand HOW this is done > 4) understand if the Inside and DMZ are on differnt subnets if the ASA is > doing routing as well as passing Netbios packets.As I understand the world > if you allow netbios from and to subnets you are making security holes that > undermine the value of the DMZ You got that right. Opening up Microsoft LAN protocols between the DMZ and your internal network makes it pretty much impossible to secure the internal network against attacks from the DMZ server, should it be subverted. (Btw, I don't agree with your distinction between "routing" and "passing Netbios packets". The latter is a particular case of the former.) What I'd recommend is not to use Netbios for that purpose. If that DMZ server is a web server already, why not have the inside computers browse to and copy these files via HTTP, too? For that you only have to open port 80 from inside to DMZ, which you probably did already anyway. HTH Tilman
From: Andrew Hodgson on 2 Apr 2010 15:56 On Sun, 28 Mar 2010 00:11:22 +0100, Tilman Schmidt <ts-usenet0911(a)pxnet.com> wrote: >Am 26.03.2010 20:11 schrieb barret bonden: >> Need to setup a web server in a DMZ such that >> 1) computers on the INSIDE interface can , on a microsoft LAN, browse to and >> copy files FROM the server in the DMZ to themselves in the inside >> 2) If the server in the DMZ is hacked it will prevent attack on the inside >> computers. >> >> >> I need to: >> 1) know this is possible >> 2) be pointed to instructions on how to set this up >> 3) understand HOW this is done >> 4) understand if the Inside and DMZ are on differnt subnets if the ASA is >> doing routing as well as passing Netbios packets.As I understand the world >> if you allow netbios from and to subnets you are making security holes that >> undermine the value of the DMZ > >You got that right. Opening up Microsoft LAN protocols between the DMZ >and your internal network makes it pretty much impossible to secure the >internal network against attacks from the DMZ server, should it be >subverted. I find that on W2k3 and above servers, that one only needs to open up port 445 one-way from the PCs doing the system admin work to the servers in question. It goes through fine using \\ip.address.of.server in the run dialog. Don't allow traffic on this port from the servers to the inside network. Thanks. Andrew.
|
Pages: 1 Prev: PIX ASA : Need to setup a server in a DMZ such that Next: Logging wifi accesses |