Port Foward Vs. DMZ

Unanswered Question

My company is in the process of implementing a new system that they want internal and external access to.

I would like to use our DMZ, however there is a concern that we will overrun the throughput of our PIX 525.

The software vendor just wants us to port forward from the outside across the firewall. What are the ramifications of doing this besides the large security holes from the untrusted to trusted network?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Thu, 03/22/2007 - 14:53

The first good thing you are doing is plaing the server in DMZ. This is the place where ideally servers to be access by public networks should be placed.

Next, what is the current CPU/Memory usage on PIX? As you have a PIX-525, this is quite a heavy duty PIX and should be able to handle heavy traffic. But again, would like to know the numbers.

As you mentioned port-forward, could you clarify on this? Is it that from outside only few ports should be accessible? Does this server have a public IP of its own or will it use PIX's IP address?

Generally when you allow access to, lets say a webserver, through PIX on port 80 (TCP), you make it available on port 80(TCP) as well as its open for attacks on port 80(TCP). If the ACL on outside is tight enough, attackers can attack only on port 80 (TCP). PIX by itself cannot do attack detection or something like that, however a IDS/IPS device can be very effective if you need to protect this server from attacks.

In rare cases even if the server on DMZ is compromised, access to internal servers (servers on inside interface) will not be open as long as ACL on the DMZ interface denies access to internal networks. And ideally, it should.

I hope this clarifies things a bit.

Regards,

Vibhor.

Thanks for your reply.

We have a pix 525 pair in active/standby right now. Each has 256MB of memory and they are not being utilized very heavy today. We have on average 30 concurrent VPN connections, plus the PIX is our Firewall for our companies internet access.

We are worried about the throughput when we bring our new software system online. We will have 200Mb of bandwidth out of our data center to our offices and up to 100Mb of bandwidth outbound to the internet. If we put all our application on the DMZ, that is very close to the PIX rated throughput of 330. If we put only a few of the systems on the DMZ, then the

servers will not be able to communicate to eachother at 1Gb speeds because of the PIX limitations.

As for port forwarding, the application will only need 2 open ports. SSL and another TCP port.

As for the servers, they will all have public IPs assigned to them (either physically assigned in a port forward setup or through NAT in a DMZ setup).

My major concern with port forwarding is if one of the servers is compromised, then the entire inside network becomes vulnerable.

Even if we put them on the DMZ I am still going to need to allow access from the inside to the DMZ for internal users. Is it possible to do this securely?

Thanks

suschoud Fri, 03/23/2007 - 08:47

hi,

if you put the servers in dmz,then the inside network will not be compromised.

yon can set up a one way communication form inside to dmz,not vice versa.

nat (inside) 1 0 0

global (dmz) 1 interface

by this,a connection initiated from inside will be able to reach dmz.

if the connection is initiated from dmz,it'll never reach inside.

hth

sushil

Actions

This Discussion