RE: PIX Question

[jamesworld () intelligencia com]

Stephen, et al,

I agree whole heartedly with 2827 filtering and the PIX can do that as well 
(router can too).  I however, disagree with 1918 at the edge router.  The 
ASA algorithm in the PIX makes it a better location to handle the NATing of 
public to 1918 addresses.  Also, the edge router is not being 
burdened.  It's doing a routers job: routing.  Let the security device take 
care of security.

I was not giving a definitive plan for deployment.  Just making answers to 
specific comments/questions.

Still, lock up the router, use access-classes on the VTY lines.  Disable 
unused transports, verify the IOS against field notices. Use the local 
database or better yet, a TACACS+ server to authenticate and log attempts 
to break in to the router.  (since you have it use it on the PIX and the 
rest of your network infrastructure).  Check your logs daily.  Disable SNMP 
and every service that is not needed on  the external edge 
routers.  (internal too :)

Just like your own body, treat your network the same way. look after it 
daily, protect it against the elements that come against it and keep the 
juice clean  :-)

-James

At 08:33 11/18/02, Stephen Wilcox wrote:
> James,
>
> I would still practice RFC1918 and RFC2827 at your edge router
>
>
> Stephen Wilcox
> R & D Specialists
> Universal Computer Systems
> Voice: (713) 718-1800 ext. 2172
> Email: Stephenwilcox () universalcomputersys com
>
>
> -----Original Message-----
> From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]
> Sent: Thursday, November 14, 2002 7:24 AM
> To: naman.latif () inamed com
> Cc: security-basics () securityfocus com
> Subject: PIX Question
>
>
>
> You need no protection.  The PIX will withstand what is put against it.
> All the advice you are receiving about BDS fw, IOS FW and the like doesn't
> address your specific need.
>
> Key being.  You are terminating IPSEC.  You put another FW in front and you
> risk losing the IPSEC.
>
> I work with PIX daily.  It needs no protection.
> Telnet:
> As far at telnet (you cannot telnet to the outside of a PIX- impossible)
> PDM:
> Set up access via the command: http <host_IP_address> 255.255.255.255
> outside
> for each host you want to have access from.
> Better yet, open none of that and VPN to the PIX and then use
> telnet/ssh/pdm from inside the VPN tunnel.
>
> Don't run CBAC unless you have a 3600 series router or above.
>
> If you really want protection that the PIX does not provide, get your ISP
> to limit the ICMP traffic to a max of 20 % of incoming traffic. help
> protect against DDOS
>
> Got questions, email me offline
>
>
> >Sent: Monday, November 04, 2002 8:47 PM
> >To: security-basics () security-focus com
> >Subject: Protecting PIX Firewall at the Perimeter Router
> >
> >
> >Hi All,
> >
> >
> >I wanted some suggestions\practical experiences for protecting a
> >Firewall wall at the Perimeter Router Level.
> >
> >
> >We have a PIX Firewall connected to our Cisco Router, which is
> >connected to the Internet. Should there be any IOS Firewall Rules in
> >the Router, other than blocking Telnet,FTP etc to the Firewall itself
> >?
> >
> >
> >PIX will be doing NAT, protecting DMZ machines, and IPSec
> >connections.
> >
> >
> >Regards \\ Naman
> >