04-12-2007 08:11 AM - edited 03-11-2019 02:59 AM
I have recently started work for a new company and have taken over the ASA 5510 Firewall rules. I have worked with them a bit in the past, but not enough to say I am very strong or a master.
Anyway, after taking a look at the firewall rules, I was horrified with what I found. Basically, the DMZ has full access to the LAN and vice versa.
Talking with the management, I asked if we could change this because this is a huge security concern.
They finally gave me permission, but now I am in a position of:
where do I start?
how do I maximize security?
I am in the process of mapping the servers in the DMZ, what services they run, their IP's and what they need.
Does anyone have some suggestions on how to go about this?
Right now, there is one Windows server and 3 Mac OS X servers in there, hosting FTP and HTTP/HTTPS.
They should only need to come into the LAN to query our DNS server, as well as port 80 to our winupdate server for patches.
Anyone want to help me get started? I feel overwhelemed.
Thx.
04-18-2007 12:33 PM
As per your explanation, I understood that DMZ has equal security level as inside (LAN) network. Then, your configuration must contain the command " same-security-traffic permit inter-interface". You should remove this command by saying that "no same-security-traffic permit inter-interface" in the global mode of ASA. Then modify the security level of DMZ slightly lower than inside network. Now, the networks in the DMZ could not access the inside network. As per your requirement, you can put ACL's to allow the needed traffic to come inside into LAN.
04-18-2007 09:19 PM
Hi Jason,
You may find the following document useful,
The above document shows access to mail server in the DMZ; but I am sure you could modify this with your requirements for your services!
Good luck and hope the above helps a little, if it does please rate posts!!
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide