Another pix ACL ??

Unanswered Question
Feb 18th, 2007

It seems to me that an ACL wipes out the need for the security levels. Take a configuration of outside,dmz,inside interfaces. In the dmz there is a mail server that needs to talk smtp to all servers on the internet. So you create an acl allowing it to do so and apply it inbound to the dmz interface. Now, say you create a static for an inside server into the dmz interface because you want the dmz server to be able to ftp to the inside server. Doesn't the acl you applied to the dmz interface allow you to try and hit the ftp inside server on port 25? Is it normal to have to follow these "allow to any" ACEs with denys to all internal servers that have translations into the dmz?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Jon Marshall Sun, 02/18/2007 - 23:02

Hi

By default on the pix traffic will flow from a higher security interface to a lower without an ACL (note the FWSM on a 6500 behaves differently). So you shouldn't need an access-list to allow your mail server to talk to the Internet just a static translation presenting it to the outside.

However if you then need to have the mail server ftp to a server inside then you do need an acl.

As soon as you apply that acl then you need a permit statement in there for your mail server to get to the Internet. And as you can't list all of the possible mail servers then you need a permit mail-server to any.

So yes you would need to deny the mail server to the rest of your internal network. Hopefully your internal network is easily summarised ?

so

permit tcp host mail-server host Internal-ftp-server eq 21

deny ip host mail-server internal-net subnet-mask

permit ip any any

From a security point of view you probably wouldn't want to allow your mail-server to ftp into your internal network though. Generally speaking if you can no connections should be intiated from the DMZ to the inside but this is easier said than done :-)

Jon

daviddtran Mon, 02/19/2007 - 03:38

tmarlow,

That is because Pix is a stupid firewall. It

is nothing but a NAT device. Think about it,

are there any security devices that you know

of will tolerate this type of behavior, that

high security level interface, by default,

can implicitly communicate with low level

security interface, unless explicitly dennied.

It's plainly stupid. Let say you have

server on the inside that is infected with

viruses and trojans software. As soon as you

put in the pix and set up NAT or PAT or worse

yet, nothing, than that box can attack other

hosts on your own networks. How insane can

that be?

Checkpoint or Juniper firewalls do not

tolerate this type of behavior. They are

by nature, implicitly dennied, unless

explicitly allowed.

my 2c

Actions

This Discussion