Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Config

Status
Not open for further replies.
technical1

technical1

Technical User
Sep 2, 2002
52
0
0
GB
Hi all,
I have a question regarding the config of a pix firewall.
At present our pix operates simply with an internal/external interface.

Internal machines have two network cards.
One card points to 192.168.245.0 network, which is then mapped to a public ip address using the pix.

Second card points to 192.168.246.0 network with mask 255.255.0.0 routing.

These machines are mainly webservers that receive requests on card one, and access the dynamic content via card two from a database.

The problem is if someone compromises card one (via port 80, web server) then they have free access to both networks.

I was wondering if i were to have two internal interfaces on the pix, then both networks would be behind seperate interfaces.

But would performance detetiorate becuase the machine is now only using one card for external web requests and for retrieving dyanamic content from the webserver via the pix.

Would the solution be to use ip routing and have both network cards on the same network behind the same interface?

I hope it doesnt too confusing.
Basically web servers behind one interface and database servers behind another. But utilising both network cards of the web servers!
 
Sort by date Sort by votes
It sounds like to me you have a websever sitting off say a DMZ interface on your PIX, and that webserver is also connected to your internal network via its second NIC. Eeek!

You are correct in your assertion about a security risk of someone compromising the webserver and having access to your other network. You aren't running IIS webservers are you? :)

Bascially you need to make a decision if this an acceptable level of risk for you (your company). If it isn't (and that is soley for you to determine) you should consider putting the back end server(s) in the DMZ along with your web server(s) so a compromise of one machine would not give the attacker escalated privilidges and access to your internal network.

I suppose adding another interface to the PIX would work but how about putting all the machines the public needs access to on the DMZ (along with the backend servers) and using a managed switch such as a Cisco catalyst and performing layer 2/3 packet filtering on that device for your backend servers? Sure you wouldn't get stateful filtering but you could restrict access to those backend servers so that only port xxx from host yyyy can access it.

Another thought along those same lines would be to keep the backend server on the local network and the web server on your DMZ interface. VLAN your Catalyst so their is logical separation between your local network and the network being used for the backend servers. While this isn't phyical (read air gapped) separation VLANs work well and again it would prevent an attacker from gaining eslacated privilidges into your internal network.

If you want to discuss this more, let me know.

Tom
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
46
tjbradford
tjbradford
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
63
iggsterman
iggsterman
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
44
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top