cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1906
Views
5
Helpful
1
Replies

Traffic Filtering between Security Zones

I have an organization's network, containing 4 zones: inside, outside, DMZ1 and DMZ2. DMZ1 contains external-facing servers - DNS, WEB and Mail servers. DMZ2 hosts internal servers- Radius, DHCP, Database, File, and Application servers. All the zones are connected to the enterprise edge router. The problem is I don't understand what kind of traffic should be permitted between zones. How I see it:

Inside - DMZ1: The traffic should be inspected and inside should be allowed to get the web, DNS, and mail traffic on ports 25,43,80,53. All the other traffic will be blocked.

Inside - DMZ2: Inside should get packets from radius, DHCP, database, file, and application servers.

Outside - inside: traffic blocked, only VPN allowed. (Company has two separate locations and VPN will be used for communication)

DMZ1 - Outside: All the servers should be seen on the internet. (Not sure)

DMZ2 - Outside: All the traffic is blocked.

I'm very new to networking and security and I might have a lot of mistakes. I would really appreciate the help to figure out what traffic should be passed between these zones to make the organization runnable.

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Your use-cases look ok.

If you're using a L7 firewall, i would filter based on application as much as possible and avoid using ports whenever it's possible. This will helps tweaking what traffic is really allowed because 1 port can transport multiple applications.

 

DMZ1 accesses internet, this is good but you might want to implement some additional security feature like IPS, Threat, URL filtering and limit what applications/ports are allowed. You don't want to have a wide open rules from dmz to internet.

DMZ2 won't have internet access but you might want to have specific accesses for updates (OSA, Packages...)

You should also allow inside users to internet. If you don't have any proxy, you'll leverage you're L7 firewall features or use a proxy if you have any so the proxy server will be the only one accessing internet.

You night want to have some rules between dmz1 to dmz2 (app/port specific rules) because your webserver might have its database located into dmz2 zone.

 

From outside to inside, sure you definitely want to drop the traffic except vpn. However you don't want your vpn users to access anything on the inside to any ports, you want to limit those accesses.

 

If you don't know the flow, you will open a larger rule, analyse the traffic and then restrict these accesses so you'll be able to enforce your security without impacting too much the business. I say too much because for sure when you're enforcing the security, you'll impact something even if it'll be something not important. The goal is to analyse so you can build yours rules in secure way.

 

Hope that clarifies a bit your question.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Your use-cases look ok.

If you're using a L7 firewall, i would filter based on application as much as possible and avoid using ports whenever it's possible. This will helps tweaking what traffic is really allowed because 1 port can transport multiple applications.

 

DMZ1 accesses internet, this is good but you might want to implement some additional security feature like IPS, Threat, URL filtering and limit what applications/ports are allowed. You don't want to have a wide open rules from dmz to internet.

DMZ2 won't have internet access but you might want to have specific accesses for updates (OSA, Packages...)

You should also allow inside users to internet. If you don't have any proxy, you'll leverage you're L7 firewall features or use a proxy if you have any so the proxy server will be the only one accessing internet.

You night want to have some rules between dmz1 to dmz2 (app/port specific rules) because your webserver might have its database located into dmz2 zone.

 

From outside to inside, sure you definitely want to drop the traffic except vpn. However you don't want your vpn users to access anything on the inside to any ports, you want to limit those accesses.

 

If you don't know the flow, you will open a larger rule, analyse the traffic and then restrict these accesses so you'll be able to enforce your security without impacting too much the business. I say too much because for sure when you're enforcing the security, you'll impact something even if it'll be something not important. The goal is to analyse so you can build yours rules in secure way.

 

Hope that clarifies a bit your question.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card