Re: Another Newbie with questions

["Bill Pennington" <bpennington () lucidnetworks com>]

First off, good choice on the Pix, I love these boxes. The can be difficult
to configure if you are not familiar with IOS but if you are not going to
let any traffic through the firewall, they are pretty easy. A couple of
points:

1. Avoid the use of the established command like the plague. It is evil.

2. The Pix works best with NAT. Network Address Translation. This is where
you have private network address inside (10.*, 192.168.*) and the Pix
translates them into "Real" addresses. If you are going to be using a Pix
you should get up to speed on this technology. (At least Cisco's version)

3. I recommend most of my clients get Webtrends for Firewalls and VPNs. This
product will collect the Pix log files (via syslog) then you can run all
kinds of reports on the data. Very good product. If they only made a linux
version:-(. You can check it out an download a demo at www.webtrends.com.

Good Luck!

Bill Pennington
Consultant
Lucid Networks


-----Original Message-----
From: Michael Kelley <michaelkelley () home com>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Tuesday, August 10, 1999 11:20 PM
Subject: Another Newbie with questions


> Greetings,
>
> My company is going to have to open a internet connection soon in order
> to do business with a client.
> The decision has been made to use a PIX <sp?> firewall. I'm told these
> are some fairly stout devices and darned near impenetrable.
>
> It's looking more and more like I will be the guy doing the
> maintainance of the Firewall/Security setup for our company . I don't
> have much experience, but I'm told that I am the most paranoid person in
> my department. <heh>
>
> I'm looking for is personal opinions regarding this device. I
> understand it has logging capabilities and is configurable (I'm told
> it's a bitch to configure). I've been doing my best to get up to speed
> on the subject of network security. I've been reading "Firewalls and
> Internet Security" by Cheswick and Bellovin, and "Hacker Proof" by
> Klander and Renehan. I think I'm beginning to get a glimmer of
> understanding about the issues I will have to deal with. I'm trying to
> learn as much as possible so that when I examine log files, I can
> understand what I'm looking at.
> I'd also like to know if there are things I should do to help shore up
> any weaknesses in this type firewall if any.
>
>
> I've already started putting the bug in the ears of the deciding
> authorities at the office about restricting internet access to only the
> places we have to go. Since word got out that we will be getting access,
> the "Gods' Must Be Crazy" syndrome(#1) has hit the office and suddenly,
> everyone thinks they have a reason to have access to the Internet.
> I'm making a big deal out of describing how an unwitting user can bring
> down a virus by grabbing the latest whack-a-mole game. (We use Inoculan,
> so I'm not really that worried about viri on the network.) I am of the
> opinion that if we begin with a drastic, "don't you dare go to Persian
> Kitty", style of internet policy, it will be somewhat easier to maintain
> productivity and reduce risks to the network.
>
> #1- The Gods' Must Be Crazy Syndrome: Based on a movie of the same name.
> When a remote tribe of people recieve an empty Coca Cola bottle dropped
> from a plane flying overhead, they don't know what to do with it.
> They've never seen one before. But soon, the tribe begins fighting
> amongst themselves because all of a sudden, _everyone_ needs to use it.
> The same can be said for Internet access in a company that never had it
> before.