Help shaping firewall rules:

Unanswered Question
Apr 12th, 2007
User Badges:

I have recently started work for a new company and have taken over the ASA 5510 Firewall rules. I have worked with them a bit in the past, but not enough to say I am very strong or a master.


Anyway, after taking a look at the firewall rules, I was horrified with what I found. Basically, the DMZ has full access to the LAN and vice versa.


Talking with the management, I asked if we could change this because this is a huge security concern.


They finally gave me permission, but now I am in a position of:


where do I start?

how do I maximize security?


I am in the process of mapping the servers in the DMZ, what services they run, their IP's and what they need.


Does anyone have some suggestions on how to go about this?


Right now, there is one Windows server and 3 Mac OS X servers in there, hosting FTP and HTTP/HTTPS.


They should only need to come into the LAN to query our DNS server, as well as port 80 to our winupdate server for patches.


Anyone want to help me get started? I feel overwhelemed.


Thx.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Wed, 04/18/2007 - 12:33
User Badges:
  • Bronze, 100 points or more

As per your explanation, I understood that DMZ has equal security level as inside (LAN) network. Then, your configuration must contain the command " same-security-traffic permit inter-interface". You should remove this command by saying that "no same-security-traffic permit inter-interface" in the global mode of ASA. Then modify the security level of DMZ slightly lower than inside network. Now, the networks in the DMZ could not access the inside network. As per your requirement, you can put ACL's to allow the needed traffic to come inside into LAN.

Actions

This Discussion