Security Basics mailing list archives
RE: Protecting PIX Firewall at the Perimeter Router
From: "Calhoun, Heath" <CalhounH () gsci state ms us>
Date: Wed, 6 Nov 2002 13:42:48 -0600
PDM and telnet from only one IP? That's the first I've heard of this. Unless your concerned about a unattended workstation, you can have more than one ip on the telnet and pdm. On our PIX 515's, I have at least two. The BDC on site so as a adminitrastor at any site you can remote to the server and telnet to the PIX and one other IP that would be assigned to whatever laptop we bring with us to a site. So if you had two people you wanted to be able to manage the PIX, you would just put their static IP's in the pix telnet and pdm statements. Heath Calhoun -----Original Message----- From: John Canty [mailto:John.Canty () Vibro-Meter com] Sent: Tuesday, November 05, 2002 1:23 PM To: Naman Latif; security-basics () security-focus com Subject: RE: Protecting PIX Firewall at the Perimeter Router I have the same config here 1720 perimeter and pix 515e. The pix can be set to receive telnet and pdm from one and only one IP and you can also set the interface on which it will see that IP. The router, I am less familiar with. I believe you may be able to do the same. The only downside is this gives you limited options on management. I.E. you can only use one computer on the inside network to manage these devices, or on the router use the aux port, and on both devices use the console port. If you are in the field and a device chooses to tank out on you then you could be in trouble. Multitech and other vendors do sell RAS servers you could allow it's IP as a telnet friendly IP, but this also opens up the possibility of someone dialing into this thing and messing things up. Try tossing one of these things on a pbx analog line with an extension and you may have a good solution there. Just like anything else, eliminate needless variables, but keep your options open. Set up gates that one must overcome in order to gain access. //John -----Original Message----- From: Naman Latif [mailto:naman.latif () inamed com] Sent: Monday, November 04, 2002 8:47 PM To: security-basics () security-focus com Subject: Protecting PIX Firewall at the Perimeter Router Hi All, I wanted some suggestions\practical experiences for protecting a Firewall wall at the Perimeter Router Level. We have a PIX Firewall connected to our Cisco Router, which is connected to the Internet. Should there be any IOS Firewall Rules in the Router, other than blocking Telnet,FTP etc to the Firewall itself ? PIX will be doing NAT, protecting DMZ machines, and IPSec connections. Regards \\ Naman
Current thread:
- RE: Protecting PIX Firewall at the Perimeter Router, (continued)
- RE: Protecting PIX Firewall at the Perimeter Router Gordon Brandt (Nov 06)
- Re: Protecting PIX Firewall at the Perimeter Router rsavage (Nov 06)
- Re: Protecting PIX Firewall at the Perimeter Router William Kupersanin (Nov 06)
- Re: Protecting PIX Firewall at the Perimeter Router R P G (Nov 07)
- RE: Protecting PIX Firewall at the Perimeter Router Thomas Novak (Nov 09)
- Re: Protecting PIX Firewall at the Perimeter Router R P G (Nov 07)
- RE: Protecting PIX Firewall at the Perimeter Router John Canty (Nov 06)
- RE: Protecting PIX Firewall at the Perimeter Router Adam Maxwell (Nov 07)
- RE: Protecting PIX Firewall at the Perimeter Router Vik Evans (Nov 11)
- RE: Protecting PIX Firewall at the Perimeter Router Adam Maxwell (Nov 07)
- RE: Protecting PIX Firewall at the Perimeter Router Piacquadio, Juan (Nov 06)
- RE: Protecting PIX Firewall at the Perimeter Router Paris E. Stone (Nov 07)
- RE: Protecting PIX Firewall at the Perimeter Router Calhoun, Heath (Nov 07)
- RE: Protecting PIX Firewall at the Perimeter Router Ben Duncan (Nov 08)