FirewallWizards
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [fw-wiz] firewall-wizards Digest, Vol 9, Issue 4

from [Paul Madore] [Permanent Link][Original]
To: firewall-wizards@listserv.icsalabs.com
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 9, Issue 4
From: "Paul Madore" <dexteroc@hotmail.com>
Date: Tue, 09 Jan 2007 14:26:49 -0800
Delivered-to: sp-com-lists@consult.net
Delivered-to: fwwizards-list2@consult.net
Delivered-to: firewall-wizards@listserv.icsalabs.com
In-reply-to: <mailman.13.1168362003.19188.firewall-wizards@listserv.icsalabs.com>
List-archive: <https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help: <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id: Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post: <mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Reply-to: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender: firewall-wizards-bounces@listserv.icsalabs.com 
>On Fri, 2007-01-05 at 14:47 -0800, Paul Madore wrote:
> > I have a PIX 515 running 6.3 with three interfaces including inside, 
>outside
> > and DMZ.  I have a webserver in the DMZ that receives traffic on 80 and 
>443.
> >   Currently no traffic can go out of the DMZ to the inside or outside
> > interfaces.  My problem is: I want to be able to get out to the internet
> > from the DMZ.
>
>Ouch! Be very careful with outbound traffic from the DMZ. You really
>want to think about this. When servers get compromised, say through a
>SQL injection or remote script include of sorts, the server will create
>a connection to the outside so that the hacker can upload hacking tools
>to the server or get a remote command shell from the server.
>
>I see this all too often during pentest. Environments with unrestricted
>Internet access from the servers/DMZ fall very quickly. I thought
>everyone got the last refresher of that lesson again when CodeRed was
>making its rounds back in 2001.
>
>Evaluate why you need outbound access. If it is for virus updates,
>consider pulling updates from internal AV distribution servers instead.
>Also, DNS and time server requests should go to your own servers. Things
>like credit card processing of course will have to leave the DMZ to the
>Internet, but in those cases only allow those servers that need outbound
>access to only those sites they need to get to. Don't give all servers
>unrestricted outbound access, or you're asking for trouble.
>
>Remember, servers are there to serve, meaning, answering requests.
>Rarely do they have to establish connections to the outside.
>
>Cheers,
>Frank


Frank,

Thank you for pointing that out and it is a very good idea.  I do need to 
have outbound access from the DMZ, there is no way around that but I took 
your suggestion and limited it to specifically one IP address and I believe 
it to be a very secure and safe site.

Thanks,

Paul

_________________________________________________________________
Get FREE Web site and company branded e-mail from Microsoft Office Live 
http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [fw-wiz] Firewall help, Paul Madore
Next by Date:  [fw-wiz] LayerOne 2007 CFP Announced, Layer One
Previous by Thread:  [fw-wiz] Firewall help, Paul Madore
Next by Thread:  [fw-wiz] How should an Internet connection/firewall be designed?, Kaas, David D
Indexes:  [Date] [Thread] [Top] [All Lists]