Solved: ASA 5508-X DMZ Scenario Help

Chris Mickle · ‎09-20-2019

Hello,

We have a server on our internal network that we are currently using port forwarding to allow accessibility from the outside and I am considering placing it in a DMZ to limit potential attack surface. The problem is that clients on the inside network require SMB access to the server as well. If I were to create a DMZ VLAN and place the server there, I could do the appropriate port forwarding in the DMZ instead of the inside network, but what would be the best way to allow the clients to access the SMB share located on the same server? We have an L3 switch in place. I was thinking the switch could do the inter-vlan routing for SMB access so that all that traffic wouldn't have to traverse the ASA, but is it possible to setup the L3 switch to route traffic for only those 2 vlans and not the others? Would an ACL on the switch be able to prevent connections initiated from the DMZ from reaching the inside network?

Is any of this even worth it or would I be better off just keeping the current configuration with port forwarding?

Thanks in advance

Marvin Rhoads · ‎09-21-2019

If you want to segment the server in a DMZ then all of it's ingress and egress traffic should be controlled by the firewall's security settings.

While you could put secondary interfaces on it or possibly cobble together a solution with switch-based ACLs, either would greatly reduce the effectiveness of (or even negate) the firewall's security controls - especially if you are availing yourself of IPS (Firepower) features

View solution in original post

Marvin Rhoads · ‎09-21-2019

If the server sits in the DMZ then by default you can access if from inside. If you have an ACL already on your inside interface then add an entry for the DMZ server to it explicitly.

Also by default, the DMZ server cannot initiate communications to the inside. So if the server is compromised, that segmentation reduces your attack surface as desired.

Chris Mickle · ‎09-21-2019

Thanks for the reply!

I am aware that by using a lower security level on the DMZ interface that users on the inside network would be able to access the SMB share by default, but I was trying to avoid all that traffic traversing the ASA.

The server hosts the main software they use to run their organization and is accessed by nearly all 75 or so users 24/7 so that is a lot of network traffic. Ideally, the outside component of the software could run on a separate server inside the DMZ while the SMB share could reside on a separate server on the inside network, but unfortunately, the software doesn't support that configuration.

Marvin Rhoads · ‎09-21-2019

If you want to segment the server in a DMZ then all of it's ingress and egress traffic should be controlled by the firewall's security settings.

While you could put secondary interfaces on it or possibly cobble together a solution with switch-based ACLs, either would greatly reduce the effectiveness of (or even negate) the firewall's security controls - especially if you are availing yourself of IPS (Firepower) features

Chris Mickle · ‎09-21-2019

Thanks a lot for the input. That is pretty much the conclusion I have come to as well. Given the design of the software, I just don't think there is a good way to do this without bogging down the ASA with tons of traffic to and from the SMB share.

I'll talk to the software vendor and see if there is a way to separate the outside facing component from the inside components. That would seem to me to be the best solution because then the only the communication between the software components and the relatively small amount of traffic generated by the few outside users would have to traverse the ASA.