are my dmz servers making my network vulnerable?

vikrantarora · ‎02-26-2003

I have 2 servers on dmz with the following access list on the dmz interface of the pix firewall:

access-list acl_dmz permit tcp any any eq www

access-list acl_dmz permit tcp host V any

access-list acl_dmz permit ip host V any

access-list acl_dmz permit icmp any any

and on the outside one of the AL is :

access-list acl_out permit tcp any host V eq https

As is obvious, my servers can send any tcp or ip traffic thru the pix.

I need to allow https traffic to V as it is a webserver and needs to be accessible from outside. Also, my webserver communicates with sql databases located on the inside via JSP's.

So if someone gets into server V in dmz via https, he can also get into the inside network??

am i right in thinking so, if yes, what do i do to make it more secure.

wolfrikk · ‎02-27-2003

The following two lines allow your host V to access anything through the firewall.

access-list acl_dmz permit tcp host V any

access-list acl_dmz permit ip host V any

The permit IP is allowing all IP traffic, (UDP, TCP and ICMP) so the permit tcp and icmp lines are redundant. I would remove those two line and only allow traffic from the DMZ that is required for host V to function. If someone hijacks host V, they have full access to your internal network using IP right now.

I would find out what ports need to be open, and only allow traffic on those ports. Also, only allow traffic between specific host is possible. With the SQL, I would set the ACL to only allow the SQL traffic between host V and your SQL Server.