topic Re: Question in Network Security

Question

oneirishpollack — Mon, 11 Mar 2019 15:33:55 GMT

As I have muddled through setting up and working on a firewall, I have a couple questions:

1. When you create a inbound (incoming) rule (for example permitting http traffic) from a lower security interface (DMZ) to a higher security interface (inside), do you need to have a rule on the 'inside' interface in the outbound direction to allow the http traffic through? Or does the incoming rule on the lower security interface (DMZ) take care of that? Maybe my question is really, is there an implied outgoing ACL on the inside interface that would stopped traffic coming from a DMZ interface?

2. When you apply rules to an interface, where is the best place to apply them - incoming or outgoing? I am assuming closest to the sending device correct?

Re: Question

Jon Marshall — Tue, 19 May 2009 15:11:04 GMT

1) A firewall such as the pix/ASA is stateful so if you allow traffic through from a lower to higher security interface then the return traffic is automatically allowed. Note that this applies to TCP/UDP and now ICMP.

But for example if you wanted to allow GRE through your firewall you would need to allow it both ways as it is not stateful.

However TCP/UDP account for the vast majority of traffic and things like GRE are the exception rather than the rule.

2) As close to source as possible is best so usually acl's are applied in an inbound direction.

Jon

Re: Question

oneirishpollack — Tue, 19 May 2009 16:33:55 GMT

And just to be clear, there is no implicit ACL in an outbound direction is you don't specifically have one applied?

Re: Question

Jon Marshall — Tue, 19 May 2009 17:14:07 GMT

There is no implict acl in any direction from a higher to a lower security interface ie. traffic will be allowed by default from a higher to lower security interface.

Jon

Re: Question

oneirishpollack — Tue, 19 May 2009 17:41:12 GMT

And from a lower (DMZ) to a higher interface (inside), as long as there is an incoming rule on the lower interface (DMZ) that allows the traffic through, it will be able to access devices on the higher security interface.

So this:

access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?

Thanks Jon. Sorry for all the questions, I just want to be sure I have a clear understanding.

Re: Question

oneirishpollack — Tue, 19 May 2009 17:41:17 GMT

So this:

access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?

Thanks Jon. Sorry for all the questions, I just want to be sure I have a clear understanding.

Re: Question

Jon Marshall — Tue, 19 May 2009 17:45:44 GMT

"access-list DMZ_access_in extended permit tcp any any eq www

will allow http traffic out of the DMZ, and it should be able to hit a device on the higher security 'inside' interface (or a lower security interface for that matter). Correct?"

If the acl DMZ_access_in is applied inbound to the DMZ interface then yes the above would allow http traffic from any device in the DMZ to any device on the inside.

"or a lower security interface for that matter)"

yes, but note that you wouldn't need an acl if you just wanted to allow traffic from the DMZ to a lower security interface.

"Sorry for all the questions, I just want to be sure I have a clear understanding."

No need to apologise, this is what NetPro is for. Feel free to ask as many questions as you want 🙂

Jon