Solved: Re: PIX515E One way trust NT4 Server on DMZ & Win2k inside

armandoferreira · ‎10-27-2004

Having a PDC running IIS FTP Server on DMZ & a Win2K AD mixed mode domain inside with a PIX 515E version 6.1(4) with 1 outside,1 inside & 1 DMZ networks. How can I configure my access-lists for alowing FTP to outside users and inside users and first how can I establish one way trust so PDC trust inside users but inside AD mixed mode domain not trust DMZ PDC users.

Thanks.

Patrick Iseli · ‎11-01-2004

Radius !

How about using a Radius or Tacacs Server for the Authentication. Radius could be used from IAS Windows Service. This would reduce the amount of ports to be trsuted between the two devices.

View solution in original post

Patrick Iseli · ‎10-27-2004

Example for ftp access:

fixup protocol ftp 21

access-list acl_outside permit tcp any host FTP-Public eq 21

access-group acl_outside in interface outside

static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255

This first three commands open ftp access from the outside to the dmz interface.

static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0

This disables NAT from the inside interface to the DMZ interface. To ftp on the server use the local private IP.

Here is an example config from cisco:

Configuring the PIX Firewall with Mail Server Access on DMZ Network

See: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Check this documentation for the NetBios configuration and limitations:

Configuring PIX to Allow Remote Access to Shared Folders on an NT Domain

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801ab781.shtml

sincerely

Patrick

armandoferreira · ‎10-29-2004

Hi Patrick,

I have followed your post and also:

How to Configure a Firewall for Domains and Trusts

support.microsoft.com/support/kb/articles/q179/4/42.asp

and;

Domain Browsing with TCP/IP and LMHOSTS Files

support.microsoft.com/support/kb/articles/Q150/8/00.ASP

Now I have NT PDC with IIS FTP trusting on AD Inside Users with the following PIX515e config:

access-list from-outside-coming-in permit tcp any host FTP-Public eq ftp

access-list from-outside-coming-in deny ip any any

access-list from-dmz-coming-in permit icmp host FTP-DMZ Inside-Network 255.255.255.0

access-list from-dmz-coming-in permit tcp host FTP-DMZ host DC-1 eq 139

access-list from-dmz-coming-in permit udp host FTP-DMZ host DC-1 eq netbios-dgm

access-list from-dmz-coming-in permit udp host FTP-DMZ host DC-1 eq netbios-ns

access-list from-dmz-coming-in permit tcp host FTP-DMZ host DC-1 eq domain

access-list from-dmz-coming-in permit udp host FTP-DMZ host DC-1 eq domain

access-list from-dmz-coming-in permit tcp host FTP-DMZ host DC-2 eq 139

access-list from-dmz-coming-in permit udp host FTP-DMZ host DC-2 eq netbios-dgm

access-list from-dmz-coming-in permit udp host FTP-DMZ host DC-2 eq netbios-ns

access-list from-dmz-coming-in permit tcp host FTP-DMZ host DC-2 eq domain

access-list from-dmz-coming-in permit udp host FTP-DMZ host DC-2 eq domain

access-list from-insidezone-coming-in permit icmp Inside-Network 255.255.255.0 host FTP-DMZ

access-list from-insidezone-coming-in permit tcp host DC-1 host FTP-DMZ eq 139

access-list from-insidezone-coming-in permit udp host DC-1 host FTP-DMZ eq netbios-dgm

access-list from-insidezone-coming-in permit udp host DC-1 host FTP-DMZ eq netbios-ns

access-list from-insidezone-coming-in permit tcp host DC-1 host FTP-DMZ eq domain

access-list from-insidezone-coming-in permit udp host DC-1 host FTP-DMZ eq domain

access-list from-insidezone-coming-in permit tcp host DC-2 host FTP-DMZ eq 139

access-list from-insidezone-coming-in permit udp host DC-2 host FTP-DMZ eq netbios-dgm

access-list from-insidezone-coming-in permit udp host DC-2 host FTP-DMZ eq netbios-ns

access-list from-insidezone-coming-in permit tcp host DC-2 host FTP-DMZ eq domain

access-list from-insidezone-coming-in permit udp host DC-2 host FTP-DMZ eq domain

access-list from-insidezone-coming-in permit tcp Inside-Network 255.255.255.0 host FTP-DMZ eq ftp

access-list from-insidezone-coming-in permit tcp Inside-Network 255.255.255.0 host FTP-DMZ eq ftp-data

access-list from-insidezone-coming-in deny ip any any

nat (inside) 1 Inside-Network 255.255.255.0 0 0

static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0 0 0

static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 router 1

....

I dont know if this is the correct way but it works.

Comments are appreciated.

Patrick Iseli · ‎10-29-2004

1.) Your access-lists are good but for Active Directory some ports are missing.

See this Microsoft article: http://www.microsoft.com/serviceproviders/columns/config_ipsec_p63623.asp

RPC endpoint mapper 135/tcp, 135/udp

NetBIOS name service 137/tcp, 137/udp

NetBIOS datagram service 138/udp

NetBIOS session service 139/tcp

RPC dynamic assignment 1024-65535/tcp

SMB over IP (Microsoft-DS) 445/tcp, 445/udp

LDAP 389/tcp

LDAP over SSL 636/tcp

Global catalog LDAP 3268/tcp

Global catalog LDAP over SSL 3269/tcp

DNS 53/tcp[1], 53/udp

I mean AD is a nightmare for a Firewall. I don't think that Browsing will ever work because it uses broadcasts. But with the AD tree it will be ok.

2.) You do not have to add on the end of an access-list the "deny ip any any".

After the last line the FOS PIX will automaticly add that line, but it is never shown in the config.

3.) SECURITY RISK WITH A DOMAIN CONTROLLER IN THE DMZ !!!

Why do you want to use AD in the DMZ ? I mean this is, if we forget for a moment the AD tree for password and user Accounts in a domain, a security nightmare.

Imagine you have a public accessable service as FTP that uses cleartext passwords. So everybody that could place a sniffer on the right place could figure out all passwords in a couple of days, hours.

If someone beaks into your IIS/FTP Server, a hacker, he has a domain controller in his hand and can do a lot of things. He even can flood your network with smurf attacks as icmp is fully open. Do you remember Viruses as SoBig and blaster.

Sorry to do a security speech but I find it importend that you are aware of your (HIGH) SECURITY RISK.

sincerely

Patrick

armandoferreira · ‎10-30-2004

Security is the goal of my scenario.

I want to give FTP access from my inside users to the server on DMZ as well as to outside users.

I believe that with one-way-trust my inside AD will not trust on DMZ but my users will be trusted on FTP to the DMZ Server. I have a lot of users inside that need to access my DMZ’s FTP so I'm thinking on creating this scenario - a one way trust between my NT4/IIS PDC on DMZ and my AD inside.

Is there any other solution with NT/IIS on DMZ, PIX on the middle and Win2K AD on the inside that accomplish my needs?

TIA

Armando

Patrick Iseli · ‎11-01-2004

Radius !

How about using a Radius or Tacacs Server for the Authentication. Radius could be used from IAS Windows Service. This would reduce the amount of ports to be trsuted between the two devices.

armandoferreira · ‎11-05-2004

I have drop my initial plan on one-way trust!

I will follow the bastion host on a standalone server solution and put it on my DMZ.

I dont have so many clients on FTP (from outside and inside) and it is possible to use non-anonymus redirect users folders to all my clients.

Also there is good information on the internet for this procedures, like IIS_NT hardening guides:

Building a Windows NT bastion host in pratice HP from

http://people.hp.se/stnor

and

Securing Windows NT Installation - Microsoft White Paper.

Sounds more secure!

Sincerely,

Armando

Patrick Iseli · ‎11-05-2004

Sounds much more secure !!

sincerely

Patrick