RE: Protecting PIX Firewall at the Perimeter Router

["Calhoun, Heath" <CalhounH () gsci state ms us>]

PDM and telnet from only one IP?  That's the first I've heard of this.
Unless your concerned about a unattended workstation, you can have more
than one ip on the telnet and pdm.  On our PIX 515's, I have at least 
two.  The BDC on site so as a adminitrastor at any site you can remote
to the server and telnet to the PIX and one other IP that would be 
assigned to whatever laptop we bring with us to a site.  So if you had
two people you wanted to be able to manage the PIX, you would just put
their static IP's in the pix telnet and pdm statements.

Heath Calhoun

-----Original Message-----
From: John Canty [mailto:John.Canty () Vibro-Meter com]
Sent: Tuesday, November 05, 2002 1:23 PM
To: Naman Latif; security-basics () security-focus com
Subject: RE: Protecting PIX Firewall at the Perimeter Router


I have the same config here 1720 perimeter and pix 515e. The pix can be
set to receive telnet and pdm from one and only one IP and you can also
set the interface on which it will see that IP. The router, I am less
familiar with. I believe you may be able to do the same. The only
downside is this gives you limited options on management. I.E. you can
only use one computer on the inside  network to manage these devices, or
on the router use the aux port, and on both devices use the console
port. If you are in the field and a device chooses to tank out on you
then you could be in trouble. Multitech and other vendors do sell RAS
servers you could allow it's IP as a telnet friendly IP, but this also
opens up the possibility of someone dialing into this thing and messing
things up. Try tossing one of these things on a pbx analog line with an
extension and you may have a good solution there. Just like anything
else, eliminate needless variables, but keep your options open. Set up
gates that one must overcome in order to gain access.
//John

-----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Monday, November 04, 2002 8:47 PM
To: security-basics () security-focus com
Subject: Protecting PIX Firewall at the Perimeter Router

Hi All,

I wanted some suggestions\practical experiences for protecting a
Firewall wall at the Perimeter Router Level.

We have a PIX Firewall connected to our Cisco Router, which is connected
to the Internet. Should there be any IOS Firewall Rules in the Router,
other than blocking Telnet,FTP etc to the Firewall itself ?

PIX will be doing NAT, protecting DMZ machines, and IPSec connections.

Regards \\ Naman