Pix Firewall Configuration- Best Practices

jfraasch · ‎11-19-2002

I am just getting started with the Pix. We have a couple installed in our organization but I have my doubts that we are properly configuring/using them. It seems like we have too many holes poked from our DMZ to our internal network. We've got the regular mail server and DNS servers in our DMZ but we are also talking about putting more servers in the same DMZ as our web and DNS.

My thought is that with the Pix 520, you can have multiple DMZ's. Our web server and DNS server will probably be the most likely servers to get hacked/attacked and I think it would be in our best interest to have other servers (which in the future will house credit card information, tax information, and other important data) in a seperate DMZ altogether. If we give a security number of 30 to our mail and DNS DMZ, then would could give a higher security number to our other DMZ's to control traffic flow.

I was wondering if anyone out there has had experience setting up the PIX with multiple DMZ's like this. Or if they have had experience setting up a server that houses credit card information. I have an inkling that we are getting ourselves in way over our heads here.

Any help would be appreciated!

levter · ‎11-20-2002

It's OK. You can create up to 4 DMZ segments if you have no 2 pixes with stateful failover. In case you have it (stateful failover) then you can have up to 3 DMZ.

Our custoimer have 2 PIX520. One primary & one backup. Stateful failover (it means that one interface on each box is dedicated to provide this stateful failover). And we have 3 segments for different purposes.

Also you can think about having two firewalls. Usually people using 2 different firewall (for example CheckPoint and Cisco). It should make less probable of breaking it at the same time. In this case you can have more segments also.

Each case depend on budget and desired security level.