security level for new DMZ

[cahelmster]

What security level should I set for a new DMZ that will contain an SMTP server?

Is the security level just a number that is used when comparing to the inside and outside interface, or does the number specify certain permissions?

Thanks

 

[ChrisAC]

The way that the PIX works is that it allows connections from a higher security level to a lower security level by default (it places entries in the state table)and blocks connections from low security to high security. The only way to get connections from low security to high security is to create conduits or access-lists to open holes for a particular purpose (eg. web or smtp).

By default the inside interface is security100 and the outside interface is security0. So, connections can be made from sec100 to sec0, but not from sec0 to sec100.

Are you with me so far? Good!

So, your DMZ can have a security level anywhere between 1 and 99. Lets say that you set it as 80. So, connections can be made from the inside (sec100) to the outside (sec0)and the DMZ (sec80). The DMZ (sec80) can make connections to the outside (sec0) but not the inside (sec100). If DMZ2 was set up as sec40, then DMZ would be able to connect to DMZ2, but DMZ2 wouldn't be able to initiate connections to DMZ.

So, remember .. higher sec can connect to lower sec.

Lower sec can only connect to higher sec with access-lists or conduits.

Easy!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************