Search This Blog

Wednesday, December 26, 2007

firewall-wizards Digest, Vol 20, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: PIX access-list help (Fetch, Brandon)
2. Re: PIX access-list help (Fetch, Brandon)
3. Re: PIX access-list help (Farrukh Haroon)
4. PIX and access-lists (Mikael Velschow-Rasmussen)


----------------------------------------------------------------------

Message: 1
Date: Tue, 25 Dec 2007 17:13:50 -0500
From: "Fetch, Brandon" <bfetch@tpg.com>
Subject: Re: [fw-wiz] PIX access-list help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AA8E89377DCB1C498CF19E343CA49D8E2DB468@NYEXCHSVR01.texpac.com>
Content-Type: text/plain; charset="us-ascii"

Easiest thing to remember is any communication is allowed from a higher
security interface to a lower security one (inside to outside, inside to
DMZ, DMZ to outside) unless explicitly prevented.

Next thing is to remember the application of ACLs is from the physical
interface's perspective.

You create an ACL and apply it either in or out of the interface.

Preventing packets from leaving that network, ie coming "in" to the
interface, are applied "access-group in interface blah".

To prevent packets from entering that network, ie going "out" to that
interface, are applied "access-group out interface blah".

Allowing packets from the Internet to a DMZ host requires two items:
A "static" configuration line mapping for the outside IP & port to the
internal IP & port.
A inbound ACL applied "in" on the outside interface.

In your particular case it sounds like a minor change of your ACL and
the application in the opposite direction on the DMZ interface would fix
the problem.

Some examples:
static (DMZ,outside) tcp 22.22.22.22 http 10.10.10.10 http netmask
255.255.255.255 0 0
static(DMZ, outside) tcp 22.22.22.23 smtp 10.10.10.11 smtp netmask
255.255.255.255 0 0
access-list inbound permit tcp any 22.22.22.22 eq http
access-list inbound permit tcp any 22.22.22.23 eq smtp
access-group inbound in interface outside
(allow web access to 22.22.22.22 & SMTP to .23 from the Internet)

access-list DMZ-to-inside permit tcp host 10.10.10.11 192.168.1.11 eq
smtp
access-group DMZ-to-inside in interface DMZ
(allow SMTP from DMZ-10.10.10.11 to inside-192.168.1.11)

To prevent outbound from the inside network to either Internet or DMZ
you can apply an ACL "out" on the inside interface.

access-list inside-out permit any any eq http
access-list inside-out permit any any eq 443
access-list inside-out permit any 192.168.1.11 eq smtp
access-group inside-out in interface inside
(This will only allow outbound HTTP/S & SMTP to either the Internet or
DMZ)

You can also help lock-down any packet leakage by applying an outbound
ACL to our outside interface to allow only what you want leaving your
network.

Remembering to do both sides of the firewall is a good security practice
overall.

HTH,
Brandon

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Brian Blater
Sent: Friday, December 21, 2007 11:02 AM
To: FW Wiz
Subject: [fw-wiz] PIX access-list help

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

------------------------------

Message: 2
Date: Tue, 25 Dec 2007 17:16:02 -0500
From: "Fetch, Brandon" <bfetch@tpg.com>
Subject: Re: [fw-wiz] PIX access-list help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AA8E89377DCB1C498CF19E343CA49D8E2DB469@NYEXCHSVR01.texpac.com>
Content-Type: text/plain; charset="us-ascii"

Oh - my earlier response presumed to NOT perform any NAT'ing between the
inside & DMZ interfaces.

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0
255.255.255.0
nat 0 (inside) access-list nonat
nat 0 (DMZ) access-list nonat

Sorry for the double response to your question!
Brandon

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Brian Blater
Sent: Friday, December 21, 2007 11:02 AM
To: FW Wiz
Subject: [fw-wiz] PIX access-list help

I'm a little befuddled with PIX access lists and need some help and
understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
outside, inside, dmz. Up til now I have only been using the outside
and inside interface. I have started configuring the dmz interface and
have set it at security50 (outside = 0, inside = 100). I currently
have only an access-list on the outside interface allowing some
specific traffic in to the inside network. Right now the inside and
dmz can talk to the internet just fine and the inside can talk to the
dmz network fine. However, I want to implement an access-list on the
dmz interface and this is where the problems start. If I assign an
access list to the dmz port to allow smtp from a dmz host to the
inside mail server I no longer have communication to the internet from
the dmz and the inside cannot talk to the dmz because of the implicit
deny of the access list.

So, my main question, is there an access list command I can have that
basically says "allow all communication from the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add "access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I can't use an out access-list
which I think might solve the problem. I have enough memory to run
version 7.x on this PIX, but I'm trying to tackle one problem at a
time and I'm a little hesitant about doing the 7.x upgrade just yet.

I have more questions, but I think I start here for now and ask the
other questions when they are more relevant.

Thanks for your help,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

------------------------------

Message: 3
Date: Tue, 25 Dec 2007 02:20:22 +0300
From: "Farrukh Haroon" <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] PIX access-list help
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0712241520t2a35fbg73064b4cd9d69a56@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Brian, as you stated in version 6.x you cannot have outbound ACLs.

"allow all communication from the dmz to the internet"

This can be done by the ACL you suggested:

access-list dmz permit ip <dmz-subnet> <dmz-subnet-mask><http://192.168.1.1/>any

If you don't want certain or all DMZ hosts to initiate traffic to the
inside, you can add some deny ACLs on top of the above access-list, the
access-list is processed in the order you define 'em. The 'show access-list'
command would should you these line numbers E.g. the beloe ACL denies DMZ
host 192.168.1.1 from going to the inside host 10.10.10.10. But it can go
everywhere else...

access-list dmz line 1 extended deny ip host 192.168.1.1 host 10.10.10.10
access-list dmz line 2 extended permit ip host 192.168.1.1 any

Regarding you statement:

"inside cannot talk to the dmz because of the implicit
deny of the access list."

I really don't think this is true :). Which implicit deny are you talking
about here? You never applied an access-list on the inside interface. Lets
says inside user 10.10.10.5 wants to speak to DMZ host 192.168.1.5, what
really is required?

> At least a dynamic NAT (since its version 6.x and there is nat-control).
Static NAT, identity NAT etc. would also work....

> Since its Higher to Lower, there is Default Implicit Permit.

All traffic that the firewall can 'inspect' will be allowed back by virtue
of the state table (the DMZ ACL would not be check here sine this would be
'returning traffic' ).....However if you are running a protocol that uses
'embedding' to hide IP/Ports etc. (like most MultiMedia apps) or you are
using a protocol like FTP/TFTP/XDMCP that does not behave in a symmetric
manner (in terms of flows), you need to firewall to do 'fixup' for that
particular protocol. If you were using normal pings to check, just make sure
you are inspecting icmp 'fixup protocol icmp'.

Regards

Farrukh

On Dec 21, 2007 7:02 PM, Brian Blater <brb.lists@gmail.com> wrote:

> I'm a little befuddled with PIX access lists and need some help and
> understanding. I have a PIX 515 version 6.3(3) with 3 interfaces -
> outside, inside, dmz. Up til now I have only been using the outside
> and inside interface. I have started configuring the dmz interface and
> have set it at security50 (outside = 0, inside = 100). I currently
> have only an access-list on the outside interface allowing some
> specific traffic in to the inside network. Right now the inside and
> dmz can talk to the internet just fine and the inside can talk to the
> dmz network fine. However, I want to implement an access-list on the
> dmz interface and this is where the problems start. If I assign an
> access list to the dmz port to allow smtp from a dmz host to the
> inside mail server I no longer have communication to the internet from
> the dmz and the inside cannot talk to the dmz because of the implicit
> deny of the access list.
>
> So, my main question, is there an access list command I can have that
> basically says "allow all communication from the dmz to the internet"
> and one that says "allow communication from the inside to the dmz"? I
> know I can add "access-list dmz permit ip host 192.168.1.1 any" and
> that solves the problem of getting to the internet, but then it opens
> all communication to the inside from this host and I don't want to do
> that. Since this is version 6.3(3) I can't use an out access-list
> which I think might solve the problem. I have enough memory to run
> version 7.x on this PIX, but I'm trying to tackle one problem at a
> time and I'm a little hesitant about doing the 7.x upgrade just yet.
>
> I have more questions, but I think I start here for now and ask the
> other questions when they are more relevant.
>
> Thanks for your help,
> Brian
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071225/ce6a8f48/attachment-0001.html


------------------------------

Message: 4
Date: Wed, 26 Dec 2007 10:59:33 +0100
From: "Mikael Velschow-Rasmussen" <mvr@nworks.dk>
Subject: [fw-wiz] PIX and access-lists
To: <firewall-wizards@listserv.icsalabs.com>, <brb.lists@gmail.com>
Message-ID:
<BF2754820AFAC34EAA01B7BA21FF89CD0B17A6@aragorn.nworks.local>
Content-Type: text/plain; charset="us-ascii"

Brian wrote:
>...
>So, my main question, is there an access list command I can have that
basically says "allow all communication from >the dmz to the internet"
and one that says "allow communication from the inside to the dmz"? I
know I can add >"access-list dmz permit ip host 192.168.1.1 any" and
that solves the problem of getting to the internet, but then it >opens
all communication to the inside from this host and I don't want to do
that. Since this is version 6.3(3) I >can't use an out access-list which
I think might solve the problem. I have enough memory to run version 7.x
on this >PIX, but I'm trying to tackle one problem at a time and I'm a
little hesitant about doing the 7.x upgrade just yet.
>...

Before Cisco PIX used access-lists they implemented the following model:
- security level defines from which interface to which interface
traffic is allowed to initiate. (i.e. all traffic from inside to outside
is permitted, and all traffic from outside to inside is denied).
- if you wanted traffic from low to high security level to be initiated
(i.e. permitted) you would have to use conduit statements (conduit
command plus static command typically, to e.g. allow incoming mail
traffic).
- example:
static (inside,outside) public-outside-ip inside-private-ip
conduit permit tcp host public-outside-ip eq smtp any
- if you wanted to deny traffic from low to high (default was - as seen
above - to permit anything) you needed to use the outbound and apply
commands.

I guess Cisco wanted to bring the IOS command syntax and the PIX syntax
closer together. So they implemented access-list commands in the PIX.
(there is also more flexibility/features in the acl command structure)

With the use of access-lists the need for security levels actually
disappear. If you need to implement acl's that complies to the security
level model described above just use the following:
access-group outside-acl in interface outside
access-group inside-acl in interface inside
access-list outside-acl deny ip any any
access-list inside-acl permit ip any any
These 4 lines accomplishes the same as the security level commands in
'old' PIX language.
(but I guess Cisco just kept the security level in to ensure that
customers not inadvertently opened up the the whole Internet to the
inside network)

So back to your case !
The following list on your dmz should suffice:
access-group dmz-acl in interface dmz
access-list dmz-acl permit tcp host dmz-host-ip private-lan-ip/24 eq
smtp
access-list dmz-acl deny ip any private-lan-ip/24
access-list dmz-acl permit ip any any
(note: It's assumed that the private LAN is a /24 subnet. And that there
is no NAT between inside and DMZ (i.e. NAT0 rule))
You shouldn't need to change anything under the inside or outside
interface since you're already using the above mentioned 4 lines
implicitly through the use of security levels.

Regards
Mikael Velschow-Rasmussen
M.Sc.e.e., CCIE #9973, CCSI #22493,
INFOSEC, SANS GCFW #0565, HP MASE
mvr@nworks.dk


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 11
************************************************

No comments: