Solved: ACL placement DMZ

Delmiro Campelo · ‎04-18-2013

I have a group of servers in the DMZ that need to communicate with servers in the inside network as well as the outside network, where would be the best place to place an ACL to acommplish this?

1. DMZ interface inbound?

2. DMZ interface outbound?

3. neither

I would add more to the question

WebServer1 (dmz) needs to communicate to a DBServer1 and DomainController1 in the (inside) in order to server requests to the (outside)

Thanks,

Delmiro

Jouni Forss · ‎04-18-2013

Hi,

Well every environment is a bit different. So you might have different ideas on what traffic you want to allow.

Generally though the DMZ would be a network segment that should only be accessible from the OUTSIDE on certain ports. Likewise the DMZ should be a network segment that has very limited access to your INSIDE network so in an event that the DMZ server get "infected" there would be minimal risk to your INSIDE network segment and the problem would be somewhat limited to your DMZ segment.

Naturally if we are talking about segment which doesnt have anything to do with the OUTSIDE network then the ACL rules could again be a bit different.

There are also customer that simply insist on leaving everything open even if its suggested that the traffic should be controlled.

At its simplest you could consider the following situation

LAN network 1: 10.10.10.0/24
LAN network 2: 10.10.20.0/24
LAN network 3: 10.10.30.0/24
DMZ network: 192.168.10.0/24

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

object-group network DMZ-DNS

network-object host 8.8.8.8

network-object host 8.8.4.4

object-group network DMZ-SMTP

network-object host x.x.x.x

network-object host y.y.y.y

access-list DMZ-IN remark Deny DMZ -> INSIDE

access-list DMZ-IN deny ip any object-group LAN-NETWORKS

access-list DMZ-IN remark Allow DNS

access-list DMZ-IN permit udp 192.168.10.0 255.255.255.0 object-group DMZ-DNS eq domain

access-list DMZ-IN remark Allow SMTP

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 object-group DMZ-SMTP eq smtp

access-list DMZ-IN remark Allow HTTP / HTTPS / FTP

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq http

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq ftp

access-list DMZ-IN remark Deny DMZ -> ANY

access-list DMZ-IN deny ip any any

access-group DMZ-IN in interface dmz

The above is a really simple example

It would for example first block any traffic destined to the LAN networks (since the following lines would allow services otherwise with destination "any" which is needed for Internet bound traffic)
It would next allow DNS and SMTP to only selected servers
Next it would allow HTTP / HTTPS / FTP to anywhere (although this could be limited if the server only need connections to certain destinations
The last line with "deny ip any any" I would configure only for the fact that I would see the hitcount in the DMZ-IN ACL at any point and could easily determine how much unallowed connection attemps have been coming from the DMZ towards ANY network.

Naturally when you need to open traffic to some LAN server or host, you would then add "permit" statements at the very top of the created ACL so they would override on their part the "deny" statement currently at the top of the ACL.

Also the rules could be DMZ server specific also. You might only allow certain servers to access the mentioned services on the OUTSIDE and block all others.

As I said it depends on the situation.

- Jouni

View solution in original post

Jouni Forss · ‎04-18-2013

Hi,

I would suggest using an ACL on each interface and using the inbound direction.

This is atleast my personal preference and has always been.

It seems to me the clearest when you control the traffic entering from certain network segment (inbound) rather than controlling traffic thats already come from some network segment and is now trying to head to another network segment (outbound)

If you need some specific configuration help then we might need to see the current ASA configuration to see for example if some NAT configurations are required netween the DMZ and INSIDE to enable connections between them

- Jouni

Delmiro Campelo · ‎04-18-2013

Thanks Jouni for your answer, it makes sense to do the ACL inbound after reading your explanation. Do you normally have an inbound ACL for your inside interface as well? I already have one inbound for my outside interface.

Thanks,
Delmiro

Jouni Forss · ‎04-18-2013

Hi,

I tend to personally configure an ACL for every LAN/DMZ interface protected by the firewall. Even if they were used to allow all traffic. All ACLs are also configured in "inbound" direction.

Naturally the "outside" interface only requires an ACL if you are going to host some services to the Internet from your LAN. It might also be usefull in situations where you are not hosting any service but want to allow some ICMP traffic through "outside" so that for example Traceroute and other ICMP related things work correctly.

You dont necesarily need an ACL on the "inside" interface since your other interface are most likely lower "security-level" than the "inside" interface so traffic would be by default allowed from "inside" to any other interface on the ASA.

Personally I just find it more clear to have an ACL on every interface so I know exactly whats allowed and dont have to care about the "security-level" values.

Remember to mark the question as answered, that is if some reply did answer your question

Naturally ask more if needed

- Jouni

Delmiro Campelo · ‎04-18-2013

Thanks Jouni, I do have one last question again thanks for helping. do you have any samples that I can use as a reference for access list DMZ and Inside interface, I do also want to use ACL the same way you are suggesting and not relay on the security-levels values.

Jouni Forss · ‎04-18-2013

Hi,

Well every environment is a bit different. So you might have different ideas on what traffic you want to allow.

Generally though the DMZ would be a network segment that should only be accessible from the OUTSIDE on certain ports. Likewise the DMZ should be a network segment that has very limited access to your INSIDE network so in an event that the DMZ server get "infected" there would be minimal risk to your INSIDE network segment and the problem would be somewhat limited to your DMZ segment.

Naturally if we are talking about segment which doesnt have anything to do with the OUTSIDE network then the ACL rules could again be a bit different.

There are also customer that simply insist on leaving everything open even if its suggested that the traffic should be controlled.

At its simplest you could consider the following situation

LAN network 1: 10.10.10.0/24
LAN network 2: 10.10.20.0/24
LAN network 3: 10.10.30.0/24
DMZ network: 192.168.10.0/24

object-group network LAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

object-group network DMZ-DNS

network-object host 8.8.8.8

network-object host 8.8.4.4

object-group network DMZ-SMTP

network-object host x.x.x.x

network-object host y.y.y.y

access-list DMZ-IN remark Deny DMZ -> INSIDE

access-list DMZ-IN deny ip any object-group LAN-NETWORKS

access-list DMZ-IN remark Allow DNS

access-list DMZ-IN permit udp 192.168.10.0 255.255.255.0 object-group DMZ-DNS eq domain

access-list DMZ-IN remark Allow SMTP

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 object-group DMZ-SMTP eq smtp

access-list DMZ-IN remark Allow HTTP / HTTPS / FTP

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq http

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list DMZ-IN permit tcp 192.168.10.0 255.255.255.0 any eq ftp

access-list DMZ-IN remark Deny DMZ -> ANY

access-list DMZ-IN deny ip any any

access-group DMZ-IN in interface dmz

The above is a really simple example

It would for example first block any traffic destined to the LAN networks (since the following lines would allow services otherwise with destination "any" which is needed for Internet bound traffic)
It would next allow DNS and SMTP to only selected servers
Next it would allow HTTP / HTTPS / FTP to anywhere (although this could be limited if the server only need connections to certain destinations
The last line with "deny ip any any" I would configure only for the fact that I would see the hitcount in the DMZ-IN ACL at any point and could easily determine how much unallowed connection attemps have been coming from the DMZ towards ANY network.

Naturally when you need to open traffic to some LAN server or host, you would then add "permit" statements at the very top of the created ACL so they would override on their part the "deny" statement currently at the top of the ACL.

Also the rules could be DMZ server specific also. You might only allow certain servers to access the mentioned services on the OUTSIDE and block all others.

As I said it depends on the situation.

- Jouni

Delmiro Campelo · ‎04-18-2013

You're amazing Jouni! thanks.