Re: [fw-wiz] DMZ traffic out to internet with PIX 515

On Fri, 2007-01-05 at 14:47 -0800, Paul Madore wrote:
I have a PIX 515 running 6.3 with three interfaces including inside, outside
and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 443.
Currently no traffic can go out of the DMZ to the inside or outside
interfaces. My problem is: I want to be able to get out to the internet
from the DMZ.

Ouch! Be very careful with outbound traffic from the DMZ. You really
want to think about this. When servers get compromised, say through a
SQL injection or remote script include of sorts, the server will create
a connection to the outside so that the hacker can upload hacking tools
to the server or get a remote command shell from the server.

I see this all too often during pentest. Environments with unrestricted
Internet access from the servers/DMZ fall very quickly. I thought
everyone got the last refresher of that lesson again when CodeRed was
making its rounds back in 2001.

Evaluate why you need outbound access. If it is for virus updates,
consider pulling updates from internal AV distribution servers instead.
Also, DNS and time server requests should go to your own servers. Things
like credit card processing of course will have to leave the DMZ to the
Internet, but in those cases only allow those servers that need outbound
access to only those sites they need to get to. Don't give all servers
unrestricted outbound access, or you're asking for trouble.

Remember, servers are there to serve, meaning, answering requests.
Rarely do they have to establish connections to the outside.


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

firewall-wizards mailing list

Relevant Pages

  • Re: Where to place the DMZ zone?
    ... hypothetically lets say you have no DMZ hosting an email bridgehead ... If a hacker were to compromise one of your email or web servers (they are ... That is, the Internet accessible servers ... that can be compromised are on your internal network, ...
  • Re: Real IPs
    ... First, I'm assuming you have servers which serve incoming ... connections from the internet. ... How you configure your DMZ is up to you, ... Iptables masquerades your lan traffic for you. ...
  • RE: New Forest - Old Domain - Plus DMZ - Help Please
    ... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
  • RE: Cracking a server without services
    ... The point is I'll have a linux firwall, connected to that the internet, ... It will however forward some ports to the DMZ ofcourse :-) ... comes from internal network. ... The servers on your DMZ is then, only as secure as how secure your ...
  • RE: Question about DMZ Domain Member and Virus Membership
    ... test and audit the servers regularly. ... Question about DMZ Domain Member and Virus Membership ... Tailor your education to your own professional goals with degree ... Computer Emergency Response Teams, and Digital Investigations. ...