Case Study


We've covered many important topics in this chapter. Sometimes it is difficult to grasp a topic without actually seeing it in use, so let's look at a complex case study and see how the topics discussed in this chapter can be applied in real-life situations.

Figure 9.6 shows the network layout of the Los Angeles site at Secure Corp. The company has just bought the PIX and needs to configure it. Secure Corp. has already defined a security policy as a precursor to purchasing the PIX so they would know how many interfaces they would need. The site administrators decided that they need four different security domains to ensure the integrity and security of the network.

click to expand
Figure 9.6: A Complex Configuration Example

The inside interface will be the highest security interface. All corporate users as well as the private and internal servers will be located behind this interface. Private addressing is being used for the nodes located behind this interface, and the PIX needs to use PAT to translate the IP addresses when the nodes send traffic to the Internet. The PIX should not NAT any traffic from the nodes behind this interface when they access any other interface. There should be no direct access from the Internet to any server located behind this interface. Because there is no business case for having Internet POP3 and IMAP4 servers available to nodes on the inside network and because these services are common venues through which viruses are transmitted, no access is allowed to Internet POP3 or IMAP4 servers from the inside network. All other traffic from the inside network is allowed.

The db-dmz interface will have the second highest security level and is being used to host database servers that enable the public Web server to build dynamic HTML pages. No private or confidential information is stored on these database servers. The database servers use private addressing and are the only nodes located behind this interface. The database servers do not need access to the Internet, and no direct connections from the Internet should be allowed to the database servers. The database servers are using SQL*Net as the communication protocol between the Web server and the database; therefore, they need to be accessible from the Web server on the DMZ interface. The database servers do not need direct access to any hosts on the inside network.

The dmz interface will have the third highest security level. Publicly accessible services, including Web, mail, and DNS servers, will be located behind this interface. The servers will use private addressing and will require static translations so that they can be accessed directly from the Internet. Since it is possible that these servers will be compromised, access to the Internet, plus the ability to browse the Web from each server, should only be allowed from the services that each server provides. There should no direct access to the inside network and only direct access to the database servers from the Web server on the SQL*Net service.

The outside interface will have the lowest security level. The company wants to only allow access to the services in the DMZ interface. The company also wants to make sure that it will not be the victim of a spoof attack, so it wants to filter out any traffic sourced with a private address. Since the inside network can ping out, it is desirable to allow ICMP responses back into the PIX.

We will now discuss the commands to apply this security policy. In the first example, we use only access lists. In the second example, we use conduits and outbound/apply statements.

Access Lists

We begin by naming and assigning security levels to the two interfaces not already defined on the PIX:

PIX1(config)# nameif ethernet2 dmz security40 PIX1(config)# nameif ethernet3 dbdmz security60 

Now bring the interfaces online:

PIX1(config)# interface ethernet0 auto PIX1(config)# interface ethernet1 auto PIX1(config)# interface ethernet2 auto PIX1(config)# interface ethernet3 auto 

Assign an IP address to each interface:

PIX1(config)# ip address inside 172.16.0.1 255.240.0.0 PIX1(config)# ip address outside 10.1.1.1 255.255.255.0 PIX1(config)# ip address dmz 192.168.10.1 255.255.255.0 PIX1(config)# ip address dbdmz 192.168.20.1 255.255.255.0 

Assign a default route to the PIX:

PIX1(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.254 

Create access lists to be used later to bypass NAT:

PIX1(config)# access-list nonatinside permit ip 172.16.0.0 255.240.0.0 192.168.10.0 255.255.255.0 PIX1(config)# access-list nonatinside permit ip 172.16.0.0 255.240.0.0 192.168.20.0 255.255.255.0 PIX1(config)# access-list nonatdbdmz permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 

Create a global pool using PAT for the inside network:

PIX1(config)# global (outside) 1 10.1.1.2 Global 10.1.1.2 will be Port Address Translated

Bypass NAT where needed:

PIX1(config)# nat (inside) 0 access-list nonatinside PIX1(config)# nat (dbdmz) 0 access-list nonatdbdmz 

Enable NAT on the inside interface and have it mapped to the global id:

PIX1(config)# nat (inside) 1 0 0 

Create static translations for access from the lower-level security interfaces:

PIX1(config)# static (dmz, outside) 10.1.1.10 192.168.10.10  PIX1(config)# static (dmz, outside) 10.1.1.11 192.168.10.11 PIX1(config)# static (dmz, outside) 10.1.1.12 192.168.10.12  PIX1(config)# static (dbdmz, dmz) 192.168.20.0 192.168.20.0 netmask 255  .255.255.0  

Configure names for the public addresses of the DMZ servers:

PIX1(config)# names PIX1(config)# name 10.1.1.10 dns PIX1(config)# name 10.1.1.11 mail PIX1(config)# name 10.1.1.12 web 

Configure object groups:

PIX1(config)# object-group network dbhosts  PIX1(config-network)# network-object host 192.168.20.10 PIX1(config-network)# network-object host 192.168.20.20 PIX1(config-network)# exit PIX1(config)# object-group network dmzhosts PIX1(config-network)# network-object host 192.168.10.1 PIX1(config-network)# network-object host 192.168.10.11 PIX1(config-network)# network-object host 192.168.10.12 PIX1(config-network)# exit PIX1(config)# object-group icmp-type icmp-outside-in PIX1(config-icmp-type)# icmp-object echo-reply PIX1(config-icmp-type)# icmp-object time-exceed PIX1(config-icmp-type)# icmp-object unreachable PIX1(config-icmp-type)# exit 

Configure the access lists for each interface:

PIX1(config)# access-list inside_in deny tcp 172.16.0.0 255.240.0.0 any eq pop3 PIX1(config)# access-list inside_in deny tcp 172.16.0.0 255.240.0.0 any eq 143  PIX1(config)# access-list inside_in permit ip 172.16.0.0 255.240.0.0 any PIX1(config)# access-list inside_in permit icmp 172.16.0.0 255.240.0.0 any PIX1(config)# access-list dbdmz_in permit tcp object-group dbhosts eq      sqlnet 192.168.10.0 255.255.255.0  PIX1(config)# access-list dbdmz_in permit icmp 192.168.20.0 255.255.255.0 172.16.0.0 255.255.0.0 PIX1(config)# access-list dbdmz_in deny ip any any PIX1(config)# access-list dmz_in permit tcp host 192.168.10.11 any eq smtp PIX1(config)# access-list dmz_in permit tcp host 192.168.10.10 any eq domain PIX1(config)# access-list dmz_in permit udp host 192.168.10.10 any eq domain PIX1(config)# access-list dmz_in permit tcp object-group dmzhosts any eq http PIX1(config)# access-list dmz_in permit tcp host 192.168.10.12 object- group dbhosts eq sqlnet PIX1(config)# access-list dmz_in permit icmp object-group dmzhosts 172.16.0.0 255.255.0.0 PIX1(config)# access-list outside_in deny ip 0.0.0.0 255.0.0.0 any PIX1(config)# access-list outside_in deny ip 10.0.0.0 255.0.0.0 any PIX1(config)# access-list outside_in deny ip 127.0.0.0 255.0.0.0 any PIX1(config)# access-list outside_in deny ip 172.16.0.0 255.240.0.0 any PIX1(config)# access-list outside_in deny ip 192.168.0.0 255.255.0.0 any PIX1(config)# access-list outside_in deny ip 224.0.0.0 224.0.0.0 any PIX1(config)# access-list outside_in permit tcp any host web eq http PIX1(config)# access-list outside_in permit tcp any host mail eq smtp PIX1(config)# access-list outside_in permit tcp any host dns eq domain PIX1(config)# access-list outside_in permit udp any host dns eq domain PIX1(config)# access-list outside_in permit icmp any 10.1.1.0 255.255.255.0 object-group icmp-outside-in PIX1(config)# access-list outside_in deny icmp any 10.1.1.0 255.255.255.0 PIX1(config)# access-list outside_in deny ip any any 

Apply the access lists to the appropriate interfaces:

PIX1(config)# access-group outside_in in interface outside PIX1(config)# access-group inside_in in interface inside PIX1(config)# access-group dmz_in in interface dmz PIX1(config)# access-group dbdmz_in in interface dbdmz 

Conduits and Outbound/Apply

Name and assign security levels to the two interfaces not already defined on the PIX:

PIX1(config)# nameif ethernet2 dmz security40 PIX1(config)# nameif ethernet3 dbdmz security60 

Bring the interfaces online:

PIX1(config)# interface ethernet0 auto PIX1(config)# interface ethernet1 auto PIX1(config)# interface ethernet2 auto PIX1(config)# interface ethernet3 auto 

Assign an IP address to each interface:

PIX1(config)# ip address inside 172.16.0.1 255.240.0.0 PIX1(config)# ip address outside 10.1.1.1 255.255.255.0 PIX1(config)# ip address dmz 192.168.10.1 255.255.255.0 PIX1(config)# ip address dbdmz 192.168.20.1 255.255.255.0 

Assign a default route to the PIX:

PIX1(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.254 

Create access lists to be used later to bypass NAT:

PIX1(config)# access-list nonatinside permit ip 172.16.0.0 255.240.0.0 192.168.10.0 255.255.255.0 PIX1(config)# access-list nonatinside permit ip 172.16.0.0 255.240.0.0 192.168.20.0 255.255.255.0 PIX1(config)# access-list nonatdbdmz permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 

Create a global pool using PAT for the inside network:

PIX1(config)# global (outside) 1 10.1.1.2 Global 10.1.1.2 will be Port Address Translated

Bypass NAT where needed:

PIX1(config)# nat (inside) 0 access-list nonatinside PIX1(config)# nat (dbdmz) 0 access-list nonatdbdmz 

Enable NAT on the inside interface and have it mapped to the global id:

PIX1(config)# nat (inside) 1 0 0 

Create static translations for access from the lower-level security interfaces:

PIX1(config)# static (dmz, outside) 10.1.1.10 192.168.10.10  PIX1(config)# static (dmz, outside) 10.1.1.11 192.168.10.11 PIX1(config)# static (dmz, outside) 10.1.1.12 192.168.10.12  PIX1(config)# static (dbdmz, dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0  

Configure names for the public addresses of the DMZ servers:

PIX1(config)# names PIX1(config)# name 10.1.1.10 dns PIX1(config)# name 10.1.1.11 mail PIX1(config)# name 10.1.1.12 web 

Configure conduits:

PIX1(config)# conduit deny ip any 0.0.0.0 255.0.0.0 PIX1(config)# conduit deny ip any 10.0.0.0 255.0.0.0 PIX1(config)# conduit deny ip any 127.0.0.0 255.0.0.0  PIX1(config)# conduit deny ip any 172.16.0.0 255.240.0.0  PIX1(config)# conduit deny ip any 224.0.0.0 224.0.0.0  PIX1(config)# conduit permit tcp object-group dbhosts eq sqlnet 192.168.10.12 PIX1(config)# conduit deny ip any 192.168.0.0 255.255.0.0 PIX1(config)# conduit permit tcp host web eq http any PIX1(config)# conduit permit tcp host mail eq smtp any PIX1(config)# conduit permit tcp host dns eq domain any PIX1(config)# conduit permit udp host dns eq domain any PIX1(config)# conduit permit icmp 172.16.0.0 255.255.0.0 object-group dmzhosts PIX1(config)# conduit permit icmp 172.16.0.0 255.255.0.0 object-group dbhosts PIX1(config)# conduit permit icmp 10.1.1.0 255.255.255.0 any object-group icmp-outside-in PIX1(config)# conduit deny icmp any any PIX1(config)# conduit deny ip any any 

Configure outbound statements:

PIX1(config)# outbound 10 deny 0 0 0  PIX1(config)# outbound 10 permit 172.16.0.0 255.240.0.0 PIX1(config)# outbound 10 deny 172.16.0.0 255.240.0.0 pop3 PIX1(config)# outbound 10 deny 172.16.0.0 255.240.0.0 143 PIX1(config)# outbound 20 deny 0 0 0 PIX1(config)# outbound 20 except 192.168.10.0 255.255.255.0 sqlnet PIX1(config)# outbound 30 deny 0 0 0 PIX1(config)# outbound 30 permit 192.168.10.11 255.255.255.255 smtp PIX1(config)# outbound 30 permit 192.168.10.10 255.255.255.255 domain PIX1(config)# outbound 30 permit 192.168.10.0 255.255.255.0 http 

Apply the outbound statements to the appropriate interfaces:

PIX1(config)# apply (inside) 10 outgoing_src PIX1(config)# apply (dbdmz) 20 outgoing_src PIX1(config)# apply (dmz) 30 outgoing_src 




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net