Case Study
We’ve covered abounding important capacity in this chapter.The afterward case study
will put the concepts and appearance we abstruse into action.
Figure 3.6 shows the arrangement blueprint of the Los Angeles armpit at Secure Corp.
The aggregation has aloof bought the PIX and needs to configure it. Secure Corp.
has already authentic a aegis action as a forerunner to purchasing the PIX.They
know how abounding interfaces they need.The administrators accept absitively that they
need four altered aegis levels to ensure the candor and aegis of the
network.
Figure 3.6 A Complex Configuration Example
.1
.1
.1
.1
.10 .11 .12
10.1.1.0/24
Internet
DNS MAIL WEB
DMZ
INSIDE
OUTSIDE DB-DMZ
.10
.20
DB1
DB2
192.168.20.0/24
172.16.0.0/16
192.168.10.0/24
Passing Cartage • Affiliate 3 123
The central interface will be the accomplished aegis interface.All accumulated users
as able-bodied as the clandestine and centralized servers will be amid abaft this interface.
Private acclamation is acclimated for the nodes amid abaft this interface.The PIX
needs to use PAT to construe the IP addresses back the nodes accelerate cartage to the
Internet.The PIX should not NAT any cartage from the nodes abaft this interface
when they admission any added interface.There should be no absolute admission from
the Internet to any server amid abaft this interface. No Internet POP3 and
IMAP4 servers are to be attainable to nodes on the central arrangement as they are
common venues for viruses. All added cartage from the central arrangement is allowed.
The db-dmz interface will accept the additional accomplished aegis level. It is acclimated to
host database servers that accredit the attainable Web server to body activating HTML
pages. No clandestine or arcane advice is stored on these database servers.
The database servers use clandestine acclamation and are the alone nodes amid behind
this interface.The database servers do not charge admission to the Internet. No direct
connections from the Internet should be accustomed to the database servers.The
database servers are application SQL*Net as the advice agreement to the Web
server; accordingly they charge to be attainable from the Web server on the DMZ
interface.The database servers do not charge absolute admission to any hosts on the
inside network.
The dmz interface will accept the third accomplished aegis level. Publicly accessible
services (Web, mail, and DNS) will be amid abaft this interface.The
servers will use clandestine acclamation and crave changeless translations. As these servers
may be attacked, admission to the Internet and Web should alone be accustomed from the
services that anniversary server provides. Alone absolute admission to the database servers from
the Web server on the SQL*Net account is permitted.
The alfresco interface will accept the everyman aegis level.The aggregation wants
to alone acquiesce admission to the casework in the DMZ interface.The aggregation also
wants to accomplish abiding that it will not be the victim of a bluff attack, so it wants to
filter out any cartage sourced with a clandestine address. Since the central arrangement can
ping, it is adorable to acquiesce ICMP responses.
We will now altercate the commands to administer this aegis policy. In the first
example, we use alone admission lists. In the additional example, we use conduits and
outbound/apply statements.
Passing Traffic