Monday, June 28, 2010

Internet Network Filtering Part 4

With the inbound filtering configure it is time for filtering the DMZ’s. The focus of the 4th part of the series will be configuring the ACL’s for the customer DMZ.

The perimeter architecture consists of two DMZ’s. The first DMZ is called “Service” DMZ, the second is called “customer”. The customer DMZ consists of systems used by Widgets to interact with Widgets customers, these systems include the web site, online shopping and online support database.

When configuring network access its’ important to ensure exposing only required ports. Because there are requirements for two DMZ’s we must create two ACL’s. To create the customer DMZ ACL we must identify we systems, their IP addresses and the required ports for the customer DMZ.

Listed below are the requirements for the customer DMZ:

Widgets Website – 5.2.3.80 (192.168.1.80) [tcp/80]
Widgets Extranet Website – 5.2.3.143 (192.168.1.143) [tcp/80 & tcp/443]
Widgets Online Database – 5.2.3.44 (192.168.1.44) [tcp/80 & tcp/443]
Widgets 3rd Party Online Database Support Applications – 5.2.3.250 (192.168.1.250) [tcp/12345, tcp/23456, & tcp/34567]

With requirements defined its time to create the access-list. Since this is the ACL for the customer DMZ the ACL name will be customer_access_in. Because traffic will be responding to the request we must ensure that we permit traffic from our DMZ host back to the original request. Here is how the ACL will be configured:

access-list customer_access_in permit tcp any 192.168.1.80 eq 80
access-list customer_access_in permit tcp 192.168.1.80 eq 80 any
access-list customer_access_in permit tcp any 192.168.1.143 eq 80
access-list customer_access_in permit tcp 192.168.1.143 eq 80 any
access-list customer_access_in permit tcp any 192.168.1.143 eq 443
access-list customer_access_in permit tcp 192.168.1.143 eq 443 any
access-list customer_access_in permit tcp any 192.168.1.44 eq 80
access-list customer_access_in permit tcp 192.168.1.44 eq 80 any
access-list customer_access_in permit tcp any 192.168.1.44 eq 443
access-list customer_access_in permit tcp 192.168.1.44 eq 443 any
access-list customer_access_in permit tcp any 192.168.1.44 eq 12345
access-list customer_access_in permit tcp 192.168.1.44 eq 12345 any
access-list customer_access_in permit tcp any 192.168.1.44 eq 23456
access-list customer_access_in permit tcp 192.168.1.44 eq 23456 any
access-list customer_access_in permit tcp any 192.168.1.44 eq 34567
access-list customer_access_in permit tcp 192.168.1.44 eq 34567 any
access-list customer_access_in deny ip any any


With the customer DMZ ACL built it must be applied. Cisco ASA firewall ACL’s are not applied to an interface so to bind the customer ACL we type the following commands:

asa(config)#access-group customer_access_in in interface dmz1

The customer DMZ is should not be accessible from the Internet! The next article will focus on the service DMZ.

Until next time.........

No comments:

Post a Comment

 
Site Meter