ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
WeStIe
New Member
Posts:
6
Joined:
Mon Jul 25, 2005 6:18 am

Setting up a DMZ using routers

Mon Jul 25, 2005 6:20 am

I am looking for resources on how to set up a DMZ without the use of a hardware firewall. I am mostly in need on the necessary access lists for the internal and external routers. Many thanks in advance.

wael
New Member
Posts:
28
Joined:
Mon Mar 21, 2005 2:49 pm

Mon Jul 25, 2005 6:48 am

yes , you can achieve the same result using access lists by permiting some kind of traffic to the specified host, but access list is not secure as a dedicated firewall.

give more info if u can

WeStIe
New Member
Posts:
6
Joined:
Mon Jul 25, 2005 6:18 am

Mon Jul 25, 2005 7:04 am

Image

I would like all the access lists that would be needed to make the DMZ as secure as possible.

User avatar
RobO
New Member
Posts:
17
Joined:
Wed Feb 16, 2005 6:48 am

Setting up a DMZ using routers

Mon Jul 25, 2005 9:16 am

Hi,

What sort off access do you need from the internet/inside to the DMZ and vice versa?

If I see correctly in the diagram(PS! What application you use for the drawing???) you have an 1800 router.

Does it have the firewall feature set?
That has some good firewall features if you have the correct IOS, coupled with access-lists should be no problem.

Let us know!

Rob

wael
New Member
Posts:
28
Joined:
Mon Mar 21, 2005 2:49 pm

Tue Jul 26, 2005 5:10 am

ok ,

1-do u want to allow access from the private network to the outside or only to the DMZ?

2-are there any special services u need to allow like http,telnet,etc in the DMZ?

User avatar
Steve
Site Admin
Posts:
10617
Joined:
Mon Dec 06, 2004 6:46 pm
Certs:
CCNA

Tue Jul 26, 2005 8:24 am

I would like all the access lists that would be needed to make the DMZ as secure as possible.


access-list 1 deny any

:)

User avatar
RobO
New Member
Posts:
17
Joined:
Wed Feb 16, 2005 6:48 am

Setting up a DMZ using routers

Tue Jul 26, 2005 4:22 pm

:lol:
Cant get any more secured than that!

wael
New Member
Posts:
28
Joined:
Mon Mar 21, 2005 2:49 pm

Wed Jul 27, 2005 5:43 am

steve finished it :D totally secured

WeStIe
New Member
Posts:
6
Joined:
Mon Jul 25, 2005 6:18 am

Thu Jul 28, 2005 6:40 am

I've found a very helpfull article which pretty much gives me everything I need to know.

http://my.execpc.com/~keithp/dmz.htm

Looks good to me. What do you guys think?

wael
New Member
Posts:
28
Joined:
Mon Mar 21, 2005 2:49 pm

Thu Jul 28, 2005 8:18 am

well done , thats exactly your case.

but again access lists can be tricked by experinced hackers so its not for securing your network its only for traffic management.

what do u think guys?

WeStIe
New Member
Posts:
6
Joined:
Mon Jul 25, 2005 6:18 am

Thu Jul 28, 2005 9:04 am

I agree, to secure the DMZ like this would be nigh on impossible but as long as the internal LAN is secure via the Proxy Server, it's a risk you have to take. My only alternative is to have a tri-homed Proxy Server and let ISA Server foward DMZ, LAN and Internet traffic accordingly. Does anyone here have any experience with this?

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Mon Aug 01, 2005 3:49 pm

WeStIe wrote:I would like all the access lists that would be needed to make the DMZ as secure as possible.


Uhh, WTF?

Maybe I'm off base here, but by definition a DMZ in UNSECURE, hence the need for it. A DMZ is someplace you allow untrsuted people to do untrusted things. You then properly firewall after (or before, or whatever angle you happen to be looking from) that as it enters the rest of your network.

I realize I'm most likely being too literal here, but my point is don't fool yourself to thinking you have DMZ that is even remotely secure.

'

Return to Cisco Security

Who is online

Users browsing this forum: Yahoo [Bot] and 24 guests