Dan,
Comments imbedded:
Daniel Crichton wrote:
>
> On 17 Feb 00, at 10:12, Kent Hundley wrote:
>
> > I don't know why you would want to do this, and in any event this cannot
> > be done with the PIX. If you are on the inside already, you can't send
> > packets to the PIX and have them routed back to the inside. Devices on
> > the inside would connect to the inside server directly.
>
> Could you confirm that this is really true? If so, I have a serious problem here
> - we bought our PIX on the understanding that we would not need to change
> any of our servers except the IP addresses on the NICs. I need to put my
> mail/dns and web/dns servers inside my firewall, and to keep DNS
> management easy I want the web server to be able to talk to the mail server
> using it's outside IP address.
>
I have to agree with Peter (who also responded to this), you should be
using a "split brain" DNS. One for your inside devices and one for your
outside devices. If you use a DNS on the outside only, it can be
queried and reveal information about your internal IP addressing
structure that would better be kept secret. Most organizations use this
approach.
> I can't believe that the PIX won't allow this -
Although I have not personally tried it, I have spoken with engineers
who have and none of them were able to have this work. Unfortunately I
don't have access to a PIX at the moment, so perhaps someone else can
test this and give a definitive response.
>if I want my web server at
> 10.1.1.1 (outside address 11.11.11.11) to talk to my mail server at 10.1.1.2
> (outside address 11.11.11.12) I should be able to use either 10.1.1.2 or
> 11.11.11.12. In fact, it would be safer if the web server did talk to the mail via
> the PIX, so that the apps on the web server can only do to the mail server
> what the rest of the world can (send mail via SMTP).
If your servers are on the same segment, it does not really provide any
additional security to try and route traffic between them to another
device on the same segment. Placing your servers on the same segment
does not give you physical separation. Without physical separation you
are in a "fail open" stance. If your server is compromised, I can
easily reach the next device and avoid your filtering software. I would
say that doing what your asking gives the illusion of security without
actually providing it, which is arguably more dangerous than not
providing it at all.
This is the same approach as if you had your internal and external
segments on the same physical wire and used policy routing or IP
addressing to separate them out. While it may work, it isn't "fail
closed" and it won't stop a skilled attacker. Physical separation is a
much better approach.
>
> If the PIX can't do this then I've got to run 2 set of DNS servers, one pair for
> the public to use and one pair for my servers to use, or use the hosts file for
> the servers.
Yes, and this is recommended (the dual DNS servers, not the hosts
file). Take a look at "Building Internet Firewalls" and "DNS and BIND",
both by O'reilly. They address this issue specifically.
>
> This causes problems if the 2 aren't synchronised - what if someone adds an
> outside address to the DNS to map to another server inside the DMZ and
> then creates an app on my web server that needs to talk to it? The
> connection never gets established unless someone remembers to add the
> DMZ address to the hosts file on the web server, plus I have to find a way of
> synchronising all of the hosts file.
I would argue that if your making changes that affect your security
infrastructure, its a good thing when things fail if people don't follow
proper procedures. In general, security and usability are inversely
proportional. The easier your system is to change or "work around", the
less secure it is. This is a fundamental paradigm.
I like it when someone tries to change things and it doesn't work
because they didn't make all the necessary changes. Its the same thing
that would happen if an attacker made the change. If your system is
weakened so that it works when random changes are made, chances are your
making enough assumptions to leave significant security holes.
> Could Cisco really have made a firewall
> that causes such problems?
I suppose its a matter of perspective, but I don't see this as a
problem.
>Do all firewalls prevent hosts inside from
> connecting to other hosts inside via their outside addresses?
Don't know. There's probably some that allow this, but I don't see a
lot of value to providing such a solution. If you want to control
access between devices, they should reside on different interfaces on a
firewall. At a minimum, you should consider using VLAN's, which is
better than nothing, but not as good as physical separation. (the PIX
doesn't support VLAN's)
Regards,
Kent
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
