New Guy Cleaning up After Old

[foobad]

I recently switched jobs and now need to cleanup the PIX at the new job. Unfortunately after 3 admins who only did enough to get it to work, it has quite a bit of kruft.

A. PDM shows a few null rules in the access list. Just delete them since they don't work anyway?

B. There is a permit rule permitting all IP traffic out of the dmz. Isn't this redundant since on most firewalls all traffic is allowed in and out of a DMZ by default? Is cisco different?

C. There is also a rule permitting outbound traffic from the dmz to the inside network. Now, assuming the rule in B is necessary, then isn't this one redundant?

With the use of group objects, I am slowly but surely untangling the quagmire of access-list statements. I think I should get an honorary CCNA when I'm done.

 

[baddos]

B & C seem true by your explaination. Question A depends. If the PDM doesn't show hits, doesn't mean it's not needed.

 

[yizhar]

HI.

> C. There is also a rule permitting outbound traffic from the dmz to the inside network.
This seems like a security breach.

You can post your config here so we can give you specific tips (But read the FAQ before you post it).


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[foobad]

Here is the config. It has 3 admins worth of kruft in it. Beware. I have trying to create groups of hosts and services to clean things up a bit. Those are the only changes I've made.

-------------------------------------------------


PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd E.tm.nFDvgE4Ki6G encrypted
hostname pixie
domain-name foo.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 7000
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name dmz.41.234.38 connect
object-group *pruned
access-list acl_dmz permit ip 172.29.0.0 255.255.0.0 dmz.dmz.234.0 255.255.255.0
access-list acl_dmz permit ip dmz.41.234.0 255.255.255.0 172.29.0.0 255.255.0.0
access-list acl_dmz permit ip dmz.41.234.0 255.255.255.0 any
access-list acl_dmz permit tcp dmz.41.234.0 255.255.255.0 host 172.29.10.77 eq 8007
access-list acl_dmz permit tcp dmz.41.234.0 255.255.255.0 host 172.29.10.77 eq sqlnet
access-list acl_dmz permit tcp dmz.41.234.0 255.255.255.0 host 172.29.10.76 eq sqlnet
access-list acl_dmz permit tcp host dmz.41.234.18 host 172.29.10.11 eq smtp
access-list acl_dmz permit tcp dmz.41.234.0 255.255.255.0 172.29.0.0 255.255.0.0 eq ssh
access-list acl_dmz permit tcp any host 172.29.0.2 eq domain
access-list acl_dmz permit udp any host 172.29.0.2 eq domain
access-list acl_dmz permit icmp any any
access-list acl_dmz permit tcp any dmz.41.234.0 255.255.255.0 eq 0
access-list acl_out permit tcp any dmz.41.234.0 255.255.255.0 eq 7000
access-list acl_out permit tcp any dmz.41.234.0 255.255.255.0 eq www
access-list acl_out permit tcp any dmz.41.234.0 255.255.255.0 eq https
access-list acl_out permit tcp host dmz.41.234.2 eq domain any
access-list acl_out permit udp host dmz.41.234.2 eq domain any
access-list acl_out permit tcp any object-group domain_ref eq domain
access-list acl_out permit udp any object-group domain_ref eq domain
access-list acl_out permit tcp any host dmz.41.234.18 object-group ftp-all
access-list acl_out permit icmp any any
access-list acl_out permit tcp any dmz.41.234.0 255.255.255.0 eq 0
access-list acl_out permit tcp any host dmz.41.235.6 eq www
access-list acl_out permit tcp any host dmz.41.234.36 eq 9090
access-list acl_out permit tcp any host dmz.41.234.16 eq 9090
access-list acl_out permit tcp any host dmz.41.234.18 eq 465
access-list acl_out deny tcp 172.29.0.0 255.255.0.0 any object-group blocked
access-list acl_out permit tcp any host dmz.41.234.2 object-group ftp-all
access-list acl_out permit tcp any host connect range 1300 1399
access-list acl_out permit ip host foo.24.12.62 host connect
access-list acl_out permit tcp any host dmz.41.234.16 range 8080 8086
access-list acl_out permit tcp any host dmz.41.234.36 eq 8190
access-list acl_out permit tcp any object-group merc_ref eq 8081
access-list acl_out permit tcp any host dmz.41.234.18 eq ssh
access-list acl_out permit tcp any host dmz.41.235.127 eq 8080
access-list acl_out permit tcp any object-group report_ref object-group crystal
access-list acl_out permit udp any host dmz.41.234.37 eq isakmp
access-list acl_out permit esp any host dmz.41.234.37
access-list acl_out permit tcp host foo.24.179.130 host dmz.41.234.36 object-group ftp-all
access-list acl_out permit tcp host foo.11.73.20 host dmz.41.235.77 eq ssh
access-list acl_out permit tcp host foo.110.45.187 host dmz.41.235.77 eq ssh
access-list acl_out permit tcp any host dmz.41.235.128 object-group mailall
access-list acl_out permit tcp any host dmz.41.234.18 eq domain
access-list acl_out permit tcp any host dmz.41.234.20 eq domain
access-list acl_out permit tcp host dmz.41.234.20 eq domain any
access-list acl_out permit tcp any host dmz.41.234.20 eq smtp
access-list acl_out permit tcp any host dmz.41.234.175 object-group ftp-all
access-list acl_out permit tcp any host dmz.41.235.129 object-group ftp-all
access-list acl_out permit tcp any host dmz.41.235.129 eq ssh
access-list acl_out permit tcp any host dmz.41.234.50 range 8080 8086
access-list acl_out permit tcp any host dmz.41.234.35 range 8086 8092
access-list inside_outbound_nat0_acl permit ip interface inside 172.29.1.240 255.255.255.240
access-list dmz_outbound_nat0_acl permit ip interface dmz 172.29.1.240 255.255.255.240
pager lines 25
logging on
logging timestamp
logging trap debugging
logging host inside 172.29.10.5
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dmz.dmz.232.36 255.255.255.240
ip address inside 172.29.0.1 255.255.0.0
ip address dmz dmz.41.234.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool jafo 172.29.1.241-172.29.1.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location *pruned
pdm group merc dmz
pdm group merc_ref outside reference merc
pdm group domain dmz
pdm group domain_ref outside reference domain
pdm group report dmz
pdm group report_ref outside reference report
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 dmz.41.235.15-12.41.235.55 netmask 255.255.255.0
global (outside) 1 dmz.41.235.56
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.29.0.0 255.255.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
static (inside,dmz) 172.29.0.0 172.29.0.0 netmask 255.255.0.0 0 0
static (inside,outside) dmz.41.235.6 172.29.10.34 netmask 255.255.255.255 0 0
static (dmz,outside) dmz.41.234.0 12.41.234.0 netmask 255.255.255.0 0 0
static (inside,outside) dmz.41.235.77 172.29.10.77 netmask 255.255.255.255 0 0
static (inside,outside) dmz.41.235.128 172.29.10.100 netmask 255.255.255.255 0 0
static (inside,outside) dmz.41.235.129 172.29.10.101 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 dmz.41.232.33 1
timeout xlate 24:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server *section pruned
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
isakmp enable outside
console timeout 0
vpdn enable outside
terminal width 80
Cryptochecksum: *pruned

 

[foobad]

I should also note one of the first two rules shows up as null in PDM.

 

[yizhar]

HI.

I don't have specific comments for now, but I suggest that you plan your network policy from scracth (using the current status as a reference), and then implement it by erasing the pix config and building it from scratch.
This is not a must, but rather the way that I think will suite you best.

More general tips:

When planning the network layers 3-4 security I think that 2 issues should be concerened regarding the current configuration:
* You have many VPN endpoints (more then one). This is dificult to manage and secure. A single VPN endpoint (either the pix or other host) is also a security risk but is much better than what you have now.
* The many ports open to your servers can be reconsidered against your needs.

You should also remember that the pix is only a part of the bundle - application and OS security should also be taken care of (patches, configuration, etc...).


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[foobad]

So what I am looking is this. A server in the DMZ is there for the purpose of sending data to the outside world. Instead of blocking all inbound and micromanaging ports per machine, I am looking at allowing all inbound to the dmz and then blocking some key ports (nfs, smb, etc).

In theory, any port (ftp,http(s), tomcat, crystal reports, etc) running on these machines is there to serve outside clients. So allowing all but blocking internal communications ports (nfs, smb, rpc, etc) makes more sense to me anyways.

I would rather block 4-10 ports than have 60 statements opening specific ports for machines.

Does this sound reasonable?

 

[yizhar]

HI.

> I would rather block 4-10 ports than have 60 statements opening specific ports for machines.
> Does this sound reasonable?
One can argue with that, but there is no right answer.
You best know your specific network and needs.

I think that most important are:
Designing VPN traffic and security.
Security configuration on the hosts themselves.
Filtering traffic from dmz to inside.

You can consider using AAA features of the pix applied to some inbound traffic, to control access to some services, if applicable for your type of remote users and applications.

You can also consider in the future to upgrade the pix with more interfaces, and then you can have multiple dmz zones. For example dedicated interface for mail server(s), etc.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[foobad]

The way their network is currently designed:

These guys only have around 20 servers. Some are purely internal (LAN, IS) and some are dmz (master DNS, sendmail gateway, company website, webapps for clients).

In theory, (i've only been here a few weeks at this job) they should block all incoming to the internal net from outside by default. However, the DMZ and the internal network have to be pretty free to talk to each other due to some poor implementation in the past (e.g. LAN servers sharing data with DMZ machines).

So now what I am looking at is this in pseudo logic:
1. allow all outgoing from inside and dmz to outside (with maybe a few exceptions to keep the sales guys from soaking out T1s with filesharing apps)
2. block all incoming to inside from outside
3. allow all incoming (with exceptions, e.g. icmp, nfs, smb, rpc, various NT ports) from outside to DMZ
4. allow all IP between inside and dmz

I have to say after reviewing this conf file it does appear to be harder to "fix" it then it would be to start from scratch as you suggest. The only problem with starting from scratch is figuring out what the "static" statements if anything at all. I have a feeling many of these rules were just thrown into the firewall config.

Also there is this:
global (outside) 1 dmz.41.235.15-12.41.235.55 netmask 255.255.255.0
global (outside) 1 dmz.41.235.56

Now, I saw that and figured I would make it a single range. Guess what? All of a sudden a few inside subnets couldn't get on the internet (outside) or to servers on the dmz.

Things like this make me wary of changing the existing conf for fear of getting the bowl of fishhooks effect. However, it is hard to test in the environment also. Since a failure in configuration means your phone starts ringing immediately.