IX2 - Data Center Colocation Service Provider Based in Los Angeles

View Full Version : PIX ruleset/NAT question

Patrick M. Hausen

07-25-2004, 01:42 AM

Hello!

Configuring my very first PIX (515, 6.3.3) setup but having
quite a bit of experience with other firewall solutions, I'm
a bit puzzled by all the "magic" and "implicit" stuff going on.

The setup in question consists of an inside network, the Internet
and 4 DMZs for servers with different trust models.
Once I enabled NAT for traffic flowing from the inside to the
outside network (dynamic, interface PAT), the PDM forced me to
add NAT rules for all the DMZs, too. Of course I don't want that.
Since inside and DMZs use RFC 1918 addressing, there is no point
in hiding information - any connection should be visible as is so
one can deploy additional logging and authentication.
If the connection is allowed by the firewallin the first place.

I found out about "exempt" rules - OK, a bit complicated: first enable
NAT, then exempt all internal-DMZ and DMZ-DMZ traffic. But workable.

Next: permit (e.g.) HTTP from inside to outside:0.0.0.0/0.
Result when klicking on "Show Details": not only does the firewall
permit HTTP connections to be initiated from the inside network
to the Internet but it adds rules to permit initiation of HTTP
connections to all the DMZs since they have a lower security level
than the internal network ...

Is this really the philosophy behind this thing? I'd rather have
a ruleset that achives precisely what I tell it to and nothing
else. Is there a way around this behaviour besides adding a truckload
of "deny" rules for everything you want to allow from one interface
to one and only one other interface?
Set the security level of all the DMZs to 0? Or to 100? What will
happen in these cases.

The documentation is not precisely confusing, I'm confused about
why anyone would choose such an implementaion concept for a
firewall.

What if I reverse the security levels? I'd get rid of all the
implicit NAT and permit rules ...

What's the canocial way of setting up a PIX the way I want to?

Thanks in advance,
Patrick
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de

Rich Myerly

07-25-2004, 01:42 AM

Patrick,

You are seeing a "feature" of the PIX with the default of traffic being
permitted to flow from a higher-security interface to a lower. If you
define access-lists and apply them with the access-group command to
those higher-security interfaces, you will have full control over the
traffic. FYI, it is not recommended to set any security levels to the
same number - always have each interface use a unique number on a PIX.

Rich

Patrick M. Hausen wrote:
> Hello!
>
> Configuring my very first PIX (515, 6.3.3) setup but having
> quite a bit of experience with other firewall solutions, I'm
> a bit puzzled by all the "magic" and "implicit" stuff going on.
>
> The setup in question consists of an inside network, the Internet
> and 4 DMZs for servers with different trust models.
> Once I enabled NAT for traffic flowing from the inside to the
> outside network (dynamic, interface PAT), the PDM forced me to
> add NAT rules for all the DMZs, too. Of course I don't want that.
> Since inside and DMZs use RFC 1918 addressing, there is no point
> in hiding information - any connection should be visible as is so
> one can deploy additional logging and authentication.
> If the connection is allowed by the firewallin the first place.
>
> I found out about "exempt" rules - OK, a bit complicated: first enable
> NAT, then exempt all internal-DMZ and DMZ-DMZ traffic. But workable.
>
> Next: permit (e.g.) HTTP from inside to outside:0.0.0.0/0.
> Result when klicking on "Show Details": not only does the firewall
> permit HTTP connections to be initiated from the inside network
> to the Internet but it adds rules to permit initiation of HTTP
> connections to all the DMZs since they have a lower security level
> than the internal network ...
>
> Is this really the philosophy behind this thing? I'd rather have
> a ruleset that achives precisely what I tell it to and nothing
> else. Is there a way around this behaviour besides adding a truckload
> of "deny" rules for everything you want to allow from one interface
> to one and only one other interface?
> Set the security level of all the DMZs to 0? Or to 100? What will
> happen in these cases.
>
> The documentation is not precisely confusing, I'm confused about
> why anyone would choose such an implementaion concept for a
> firewall.
>
> What if I reverse the security levels? I'd get rid of all the
> implicit NAT and permit rules ...
>
> What's the canocial way of setting up a PIX the way I want to?
>
> Thanks in advance,
> Patrick

Patrick M. Hausen

07-25-2004, 01:42 AM

Hello!

Rich Myerly <news@myerly.net> wrote:

> You are seeing a "feature" of the PIX with the default of traffic being
> permitted to flow from a higher-security interface to a lower. If you
> define access-lists and apply them with the access-group command to
> those higher-security interfaces, you will have full control over the
> traffic. FYI, it is not recommended to set any security levels to the
> same number - always have each interface use a unique number on a PIX.

That would imply using the CLI instead of PDM, right?

Have to check with the customer if this is acceptable. It would
effectively lock them out of changing the rules after me leaving
the premises. Which may be a good thing, though. ;-)

If I went this way would I leave PDM aside completely and define
all rules as access-lists in the CLI?

Thanks,
Patrick
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de

Rich Myerly

07-25-2004, 01:43 AM

Patrick,

I must admit I have little experience with PDM. From what I have seen
and done, I can use both without interaction problems. I use PDM to try
it one way, CLI to try another, and look at the opposite to see how they
are interpreted. I think you could define in it in the CLI and
maintenance could be done in the PDM. Or, just define the ACLs in the
PDM and see how it likes it.

Rich

Patrick M. Hausen wrote:

> Hello!
>
> Rich Myerly <news@myerly.net> wrote:
>
>
>>You are seeing a "feature" of the PIX with the default of traffic being
>>permitted to flow from a higher-security interface to a lower. If you
>>define access-lists and apply them with the access-group command to
>>those higher-security interfaces, you will have full control over the
>>traffic. FYI, it is not recommended to set any security levels to the
>>same number - always have each interface use a unique number on a PIX.
>
>
> That would imply using the CLI instead of PDM, right?
>
> Have to check with the customer if this is acceptable. It would
> effectively lock them out of changing the rules after me leaving
> the premises. Which may be a good thing, though. ;-)
>
> If I went this way would I leave PDM aside completely and define
> all rules as access-lists in the CLI?
>
> Thanks,
> Patrick