Michael Torrie's Personal Wiki

You are here: start » computer_stuff » chem_firewall

Differences

This shows you the differences between two versions of the page.

--- computer_stuff:chem_firewall [2013/08/06 14:40]
Michael Torrie
+++ computer_stuff:chem_firewall [2013/08/06 16:09] (current)
Michael Torrie [Access Controls Rules]
@@ Line 30: / Line 30: @@
 passwd 2KFQnbNIdI.2KYOU encrypted
 </code>
+Since we need to pass multicast traffic for Campus IPTV, multicast routing must be enabled:
 <code>
 multicast-routing
 </code>
+Several host names are set to make the rules a bit easier to understand and write.  However it appears there area some host names that are old and maybe obsolete:
 <code>
 no names
@@ Line 76: / Line 78: @@
 name 192.168.200.57 www_rhel6 description RHEL 6 external webserver.
 !
+</code>
+==== Interfaces ====
+=== Untrusted ===
+The main, untrusted interface is Ethernet0/0.  It is assigned an address that covers all the public IP addresses that we use in the department.  The address is 128.187.3.3/25, which means it effectively has addresses 3 through 126.  Some of these are NATed to DMZ addresses, and some are used in a pool for outbound communications.
+<code>
 interface Ethernet0/0
  nameif outside
@@ Line 81: / Line 88: @@
  ip address 128.187.3.3 255.255.255.128 standby 128.187.3.2
 !
+</code>
+=== Trusted ===
+The following interface is used to carry all traffic from the inside, or trusted network, to the outside world, the DMZ, or VPN hosts.  It is **not** a VLAN trunk; it's just a access port on the core's 106 VLAN (??).  The core has the address 192.168.106.1, and the firewall has the address of 192.168.106.254 (with 192.168.106.253 as the backup, which becomes 106.254 when it comes into service).
+<code>
 interface Ethernet0/1
  nameif inside
@@ Line 86: / Line 97: @@
  ip address 192.168.106.254 255.255.255.0 standby 192.168.106.253
 !
+</code>
+=== DMZ ===
+Although the DMZ is not an actual VLAN, the firewall defines a subnet for it and acts as a router for DMZ traffic.
+<code>
 interface Ethernet0/2
  nameif dmz
@@ Line 91: / Line 106: @@
  ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
 !
+</code>
+<code>
 interface Ethernet0/3
  shutdown
@@ Line 97: / Line 114: @@
  no ip address
 !
+</code>
+<code>
 interface Management0/0
  description LAN/STATE Failover Interface
 !
+</code>
+Campus IPTV defines a multicast rendezvous point that the firewall needs to know of:
+<code>
 pim rp-address 10.3.3.199
+</code>
+<code>
 boot system disk0:/asa823-k8.bin
 ftp mode passive
@@ Line 108: / Line 132: @@
  domain-name chem.byu.edu
 same-security-traffic permit intra-interface
+</code>
+Campus IPTV comes from several multicast addresses, which we group together to make the rules easier to write:
+<code>
 object-group network MULTICAST_GROUPS
  network-object host 239.226.16.1
@@ Line 158: / Line 185: @@
  network-object host 239.226.255.1
  network-object host 239.226.255.2
+</code>
+For convenience, a protocol group is defined to let a rule be made for both a tcp and udp port in the same line.
+<code>
 object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
+</code>
+==== Access Controls Rules ====
+=== From the DMZ to the Trusted Network ===
+The following lines appear to be obsolete.  the ip addresses resolve to ns1 and ns2, but neither server hosts LDAP currently.  And port 88 is a kerberos port.  Kerberos is at ''kerberos.chem.byu.edu'' which is really on ''admin.chem.byu.edu''.  So it appears these lines can be removed:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.36 eq 88
 access-list dmz_in extended permit tcp any host 192.168.105.36 eq ldap
@@ Line 166: / Line 201: @@
 access-list dmz_in extended permit tcp any host 192.168.105.37 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.37 eq ldaps
+</code>
+DNS and time servers need to be accessible from the DMZ:
+<code>
 access-list dmz_in extended permit udp any host 192.168.105.10 eq domain
 access-list dmz_in extended permit udp any host 192.168.105.10 eq ntp
 access-list dmz_in extended permit tcp any host 192.168.105.10 eq domain
+</code>
+Purgatory may ssh or telnet into any trusted host:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.6 192.168.0.0 255.255.128.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.6 192.168.0.0 255.255.128.0 eq telnet
+</code>
+The following rule was to allow a sysadmin to ssh into purgatory and forward web connections so that the vpn concentrator could be controlled via its web interface.  The VPN concentrator is now part of this firewall, so this code is useless:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq www
 access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.108.6 eq https
+</code>
+The following rule is obsolete too. It allowed a sysadmin to tunnel vnc through purgatory to the old Mac OS X Server celeborn which was on port 5900:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.6 host 192.168.105.36 eq 5900
+</code>
+The following code allowed the old web server to proxy information from trusted web servers (ports 80, 443, 8080, 8180), and access the SQL servers (port 3306 for mysql, 5432 for postgresql).  This server was called www-old when the servers where changed to an split dmz/trusted arrangement, but is no longer in service.  Hence these rules should be removed as 192.168.200.50 does not appear to be alive anymore:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.12 eq https
 access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq www
@@ Line 185: / Line 235: @@
 access-list dmz_in remark New SQL
 access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.19 eq 5432
+</code>
+The following rules allow any DMZ host to access LDAP on a backup LDAP server, which is no longer in service, as near as I can tell.  So they can be removed as well:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.18 eq ldaps
+</code>
+Since DMZ hosts are not allowed to access the internet (though I'm unclear as to how this block was accompished!), any updates with yum and redhat's update network have to be done through the squid http proxy on admin, so dmz hosts need access to squid.  Note that this is a potential security problem, but at the time I deemed it an acceptable risk:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.12 eq 3128
+</code>
+mail-ext1 needs access to sql server(s).  Currently only 192.168.105.19 is in use I think:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.18 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.19 eq 3306
+</code>
+Allow www.chem.byu.edu to access information on admin.chem.byu.edu via https (proxying), sql, the web server on the internal mail server (for the purpose of controlling the mailing list, spam stuff, etc).  Any references to 192.168.105.18 (sql-old) can be removed.  I notice that Garrett has already made some of them inactive, which is a good idea:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq https
 access-list dmz_in extended permit tcp host 192.168.200.57 host 192.168.105.12 eq https inactive
@@ Line 208: / Line 270: @@
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8080
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8081
+</code>
+Another obsolete line for www-old, which is dead:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8081
-access-list dmz_in extended permit icmp any any
+</code>
+Allow the DMZ hosts to ping anything in or out:
+<code>
+access-list dmz_in extended permit icmp any any
+</code>
+Allow mail-ext1 to reach any internal smtp server, DNS, the auth ident port (113) on any trusted computer:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 any eq smtp
 access-list dmz_in extended permit tcp host 192.168.200.10 any eq domain
@@ Line 215: / Line 286: @@
 access-list dmz_in extended permit udp host 192.168.200.10 any eq 113
 access-list dmz_in extended permit udp host 192.168.200.10 any eq domain
+</code>
+Allow purgatory to ssh, ftp into any BYU machine, on its private or public network.  Not sure what port 8500 is:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.6 128.187.0.0 255.255.0.0 eq ftp
@@ Line 220: / Line 294: @@
 access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.6 10.0.0.0 255.0.0.0 eq ftp
+</code>
+Allow www.chem.byu.edu to proxy web data from secure.chem.byu.edu:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq www
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq https
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8080
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8180
+</code>
+Allow any DMZ host to access LDAP:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.12 eq ldaps
+</code>
+Allow www.chem.byu.edu to ssh into admin.  Not sure about this rule.  It's possible that the code that generates door cards for faculty requires an ssh connection into admin to run inkscape to generate the pdf:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.12 eq ssh
+</code>
+Allow any dmz host access to ldap at a host that no longer exists. This line can be removed:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.45 eq ldaps
+</code>
+Allow any dmz host access to kerberos. However this ip address (an alias for ns1) does not run a kerberos server; it's on admin. So this rule can be removed:
+<code>
 access-list dmz_in extended permit udp any host 192.168.105.36 eq 88
+</code>
+Allow www to access web servers on secure.chem.byu.edu and pchem-server
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8081
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8009
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.75 eq www
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8010
+</code>
+Allow DMZ hosts to access backup ldap server, which is on printqueue
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.13 eq ldaps
+</code>
+Allow DMZhosts to access LDAP on 101.150, which may have been the old n175-serv file server.  In any case, this address is not pinging and I believe that these entries can be removed:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.101.150 eq ldaps
+</code>
+Allow mail and www to access sql on 192.168.105.90 which is molecule.chem.byu.edu. I don't know anything about this host:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.90 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.90 eq 5432
+</code>
+Allow mail-ext1 to access https on secure.chem.byu.edu:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.43 eq https
+</code>
+DMZ allowed to access kerberos and ldap on an obsolete host I think (address is now diskarray3).  Should be removed:
+<code>
 access-list dmz_in extended permit udp any host 192.168.105.50 eq 88
 access-list dmz_in extended permit tcp any host 192.168.105.50 eq 88
 access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldap
 access-list dmz_in extended permit tcp any host 192.168.105.50 eq ldaps
+</code>
+Allows mail-ext1 to access tcp port 2703 on any trusted host... not sure why:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 any eq 2703
+</code>
+Obsolete entry for www-old and tomcat again:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.50 host 192.168.105.43 eq 8181
+</code>
+Allow www.chem.byu.edu to access various web-related ports on secure (for proxying), mail-int (not sure?).
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 8181
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.43 eq 8181
+</code>
+Allowed www to proxy various things from chemmgmt-server, which is no longer here. Remove:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq www
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq https
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8080
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.58 eq 8081
+</code>
+Allow certain hosts to ssh into 192.168.0.0-192.168.127.0.0...  No clue why this is in here.  I'd say remove:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.60 192.168.0.0 255.255.128.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.62 192.168.0.0 255.255.128.0 eq ssh
 access-list dmz_in extended permit tcp host 192.168.200.61 192.168.0.0 255.255.128.0 eq ssh
+</code>
+Remove reference to obsolete host:
+<code>
 access-list dmz_in extended permit tcp any host 192.168.105.54 eq 2222
+</code>
+Allow mail-ext2 to access SQL (note that 105.18 is sql-old which is now obsolete and can be removed), and also the secure.chem.byu.edu https.
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 5432
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.18 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.19 eq 3306
 access-list dmz_in extended permit tcp host 192.168.200.12 host 192.168.105.43 eq https
+</code>
+Allow mail-ext1 to access mail-related ports on mail-int:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq imap4
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq pop3
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 995
 access-list dmz_in extended permit tcp host 192.168.200.10 host 192.168.105.38 eq 993
+</code>
+Allow www.chem.byu.edu to access mail-related ports on mail-int.  This could be for web-based e-mail apps to work, or just for apps to be able to send e-mail.
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq imap4
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq pop3
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 995
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq 993
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.38 eq smtp
+</code>
+Allow www.chem.byu.edu to ssh into vm3? Might be an obsolete entry from before virtualization:
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 host 192.168.105.62 eq ssh
+</code>
+<code>
 access-list dmz_in extended permit tcp host 192.168.200.52 any eq domain
 access-list dmz_in extended permit tcp host 192.168.200.57 any eq domain

Trace:

Michael Torrie's Personal Wiki

Differences

Navigation

Search

Toolbox

QR Code