RE: Protecting PIX Firewall at the Perimeter Router

["Adam Maxwell" <netrunner () sneakers-inc net>]

-----BEGIN PGP SIGNED MESSAGE-----

The Cisco routers are based on the same IOS as the pix firewall.  You
can set ACL's for management on the Cisco routers, for the interfaces
and the console ports.

- -----Original Message-----
From: John Canty [mailto:John.Canty () Vibro-Meter com] 
Sent: 05 November 2002 19:23
To: Naman Latif; security-basics () security-focus com
Subject: RE: Protecting PIX Firewall at the Perimeter Router


I have the same config here 1720 perimeter and pix 515e. The pix can
be set to receive telnet and pdm from one and only one IP and you can
also set the interface on which it will see that IP. The router, I am
less familiar with. I believe you may be able to do the same. The
only downside is this gives you limited options on management. I.E.
you can only use one computer on the inside  network to manage these
devices, or on the router use the aux port, and on both devices use
the console port. If you are in the field and a device chooses to
tank out on you then you could be in trouble. Multitech and other
vendors do sell RAS servers you could allow it's IP as a telnet
friendly IP, but this also opens up the possibility of someone
dialing into this thing and messing things up. Try tossing one of
these things on a pbx analog line with an extension and you may have
a good solution there. Just like anything else, eliminate needless
variables, but keep your options open. Set up gates that one must
overcome in order to gain access. //John

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Monday, November 04, 2002 8:47 PM
To: security-basics () security-focus com
Subject: Protecting PIX Firewall at the Perimeter Router

Hi All,

I wanted some suggestions\practical experiences for protecting a
Firewall wall at the Perimeter Router Level.

We have a PIX Firewall connected to our Cisco Router, which is
connected to the Internet. Should there be any IOS Firewall Rules in
the Router, other than blocking Telnet,FTP etc to the Firewall itself
?

PIX will be doing NAT, protecting DMZ machines, and IPSec
connections.

Regards \\ Naman


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQIVAwUBPclwYAG81/VlR++2AQGK3A/7ByYRMohohjN70FMPqwJZo3Q54ZPkLMvf
3LKVmqeoyopd2MQCNk/znTf1uFNZb/RAjSDPEKMEHPUWqwWI4EH54MKTgzMJFLWt
1ykBZ1zhvnpSi7RM3VVr4rEBiZnzthfAt2hw70QG69+cnHEM0lfc/t8s19i7owzb
VeK5ntwkIspXIWv7ZR6dLqBXMewKWlAtyzGn96kSYRfkqckuQW3TTFuKLrDbV18E
SEi7dwefgc5+O+WoYS2yCh5p10FGC+5yKfD6bVnAFhzbcVpmTl74JMjNnKkynHwk
LPJD6Gkpw4dlVZwckNA2ISy30Ws8uS0PD/8XpgCDEeXNBEDJsTotWEyeB0pcI21g
t+TFOXY5fMaRI+HLlpvxTI/HK50m7ZDsIBVmIIBkwmaSrM+8h2nfzqLVWMEu7w5y
wXg8H7uo3GdYSQ+5F6sNyEj52gyWA3DYGG+fim55f6LHMIEHuTP1TKRBFLiBIcnQ
q9HSimbQop5DYvWsg+oi0k5ObjHjSm/G3jJ5z70ZqqCkVHR4n2qeVhvp5iHv6u84
WJ8Zi7nUHimNXTT9QuPmXhJvKI4kjyvlLJVmzwib5Ca7666MFjIOXE5WMiqOjFw0
y7B8KkBY9skaGe6PxCsOFFawdGDhWhlPIbsPQcEsjF5xh8pWsjjRzkFNoqjCl1ba
DgZPOjyvOl0=
=F5Vf
-----END PGP SIGNATURE-----