Re: DMZ security Issue

Well, a simple test will confirm.

Carlos, I dont know which it is but you either did not read my post well or
did not understand it altogether. Whichever, read it once again and you
will see that I said if there is an ACL on the interface where the traffic
originates, yes, the traffic is subjected to the ACL rule.

Is there is no ACL on the interface the traffic originates from, and there
is an ACL on the return path interface, then the firewall will not subject
the traffic to the return path ACL.

This can be demostrated on the ASA below. I have configured a DENY ALL ACL
on the outside (network interface) and I was able to initiate a telnet
session from a device behind the ASA just fine. Why did the traffic allow
this? Simply because of the security level rule of firewalling, which if I
understand well is Sameer's first question.

Sadiq

DC-ASA1(config)#
DC-ASA1(config)# sh run int
!
interface GigabitEthernet0/0
 nameif network
 security-level 0
 ip address 10.241.1.68 255.255.255.248 standby 10.241.1.69
 pim dr-priority 120
!
interface GigabitEthernet0/1
 nameif datacenter
 security-level 100
 ip address 10.243.100.1 255.255.255.0 standby 10.243.100.2
!
DC-ASA1(config)# access-group DENY_ALL in in network
DC-ASA1(config)#
DC-ASA1(config)# sh run route
route network 0.0.0.0 0.0.0.0 10.241.1.67 1
DC-ASA1(config)# sh run access-group
access-group DENY_ALL in interface network
DC-ASA1(config)#
DC-ASA1(config)# sh run policy-map
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect netbios
  inspect rsh
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class sxp-class
  set connection advanced-options tcp-state-bypass
!
DC-ASA1(config)#
DC-ASA1(config-pmap-c)#
DC-ASA1(config-pmap-c)# show conn
19 in use, 68 most used
TCP network 10.241.1.67:23 datacenter 10.243.100.5:5325, idle 0:00:03,
bytes 158, flags UIO
DC-ASA1(config-pmap-c)#
DC-ASA1(config-pmap-c)# sh run access-group
access-group DENY_ALL in interface network
DC-ASA1(config-pmap-c)#
DC-ASA1(config-pmap-c)# sh run access-list
access-list DENY_ALL extended deny ip any any
DC-ASA1(config-pmap-c)#
DC-ASA1(config-pmap-c)# logging on
DC-ASA1(config)# %ASA-5-111008: User 'enable_15' executed the 'logging on'
command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed
'logging on'
%ASA-7-609001: Built local-host datacenter:10.243.100.5
%ASA-7-609001: Built local-host network:10.241.1.67
%ASA-6-302013: Built outbound TCP connection 1012 for network:10.241.1.67/23(
10.241.1.67/23) to datacenter:10.243.100.5/5823 (10.243.100.5/5823)
DC-ASA1(config)#
DC-ASA1(config)#
DC-ASA1(config)#
DC-ASA1(config)# no logging
DC-ASA1(config)# %ASA-5-111008: User 'enable_15' executed the 'no logging
on' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed
'no logging on'
DC-ASA1(config)#
DC-ASA1(config)#
DC-ASA1(config)# sh conn
20 in use, 68 most used
TCP network 10.241.1.67:23 datacenter 10.243.100.5:5823, idle 0:00:11,
bytes 158, flags UIO

On Wed, Jul 11, 2012 at 7:52 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:

> No, you are not.
> Marc said "implicit", you said "explicit".
> Marc says "ACL will render sec level useless", you say it will be used.
>
> I would say Marc is right, but a simple test would confirm.
> Any ACL in the path of the initiating packet will define the fate of the
> connection. The ACL will rule. If you happen to have two ACLs in the path,
> then both should permit the packet for the connection to be permitted.
>
> -Carlos
>
> Sadiq Yakasai @ 11/07/2012 15:14 -0300 dixit:
>
>> Hi Marc,
>>
>> Yes, you are right on the implicit deny on the ACL. Perhaps my statement
>> was not very clear the first time.
>>
>> What I meant to say is that when ACL's are present on the interfaces (*
>> typically* on the lower security level, outside/dmz), then traffic is
>>
>> subjected to these ACL's when it comes in via those interfaces. When
>> traffic comes in via a higher security level that has no ACL, then it will
>> be allowed back in even if the ACL on the exit interface does not allow
>> this - this is implicitly done because of the firewall inspection rule
>> (higher->lower flow).
>>
>> But I agree with you, if there is an explicit deny on the ACL on any
>> interface, then yes, the firewall shall drop that traffic.
>>
>> I think we are both saying the same thing. Right?
>>
>> Thanks,
>> Sadiq
>>
>> On Wed, Jul 11, 2012 at 6:06 PM, marc edwards <renorider_at_gmail.com>
>> wrote:
>>
>> And the more I think about it. It is due to implicit deny that comes with
>>> the ACL.
>>>
>>> Marc
>>>
>>>
>>> On Wed, Jul 11, 2012 at 10:05 AM, marc edwards <renorider_at_gmail.com
>>> >wrote:
>>>
>>> Sadiq,
>>>>
>>>> With my experiences, if the interface has ACLS it won't pass traffic to
>>>> lower zones but I will defer to expert to confirm. Thanks for pointing
>>>> out
>>>> for clarification.
>>>>
>>>> Regards,
>>>>
>>>> Marc
>>>>
>>>>
>>>> On Wed, Jul 11, 2012 at 10:00 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com
>>>> >wrote:
>>>>
>>>> Thats all right Marc. One point to add; even with access-lists, the
>>>>> security levels are infact used, but the ACL's will take precedence.
>>>>> This
>>>>> means for traffic streams that dont have entries in the ACL, the
>>>>> security
>>>>> levels' rules can permit (or otherwise) the traffic.
>>>>>
>>>>> Right?
>>>>>
>>>>>
>>>>> On Wed, Jul 11, 2012 at 5:50 PM, marc edwards <renorider_at_gmail.com
>>>>> >wrote:
>>>>>
>>>>> Is this an ASA? If so by default the secruity zones only allow higher
>>>>>> to
>>>>>> lower access and inside is always higher than DMZ
>>>>>>
>>>>>> You can change this behavior either leveling the zones (not the best
>>>>>> idea
>>>>>> for DMZ) or creating access-lists. When entering access lists keep in
>>>>>> mind
>>>>>> that security levels will no longer be used.
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> Marc
>>>>>>
>>>>>> On Wed, Jul 11, 2012 at 7:59 AM, sameer inam <i_sameer_at_hotmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Gents ,
>>>>>>> Need some help , I m trying to access from DMZ to inside it wont
>>>>>>>
>>>>>> work
>>>>>>
>>>>>>> form
>>>>>>> some reason but other way Inside to DMZ working fine , Can any one
>>>>>>>
>>>>>> give me
>>>>>>
>>>>>>> some kind of Document or idea ,
>>>>>>> It will be much appreciated
>>>>>>> Thanks in advance
>>>>>>> Sameer
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>>>>>>> ______________________________**______________________________**
>>>>>> ___________
>>>>>>
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> ______________________________**______________________________**
>>>>>> ___________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> CCIEx2 (R&S|Sec) #19963
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net