Re: VPNs on PIX

["Brian Loe" <knobdy () gmail com>]

On 2/20/06, Paul Melson <pmelson () gmail com> wrote:
> Not that you asked, but this is "A Bad Idea(tm)" and is all too common where
> PIX firewalls are concerned (because of the all-too-commonly-used 'sysopt
> connection permit-ipsec').  Remember, every time you do this, you accept
> risk that you cannot manage.  I've never seen a setup that actually needed
> to be that way.  I honestly don't know why that command even exists.

Which part, specifically, are you addressing here - allowing their
entire network to access ours?

A quick google of that command comes back with a lot of info on VPN
software client connections (which we use concentrators for).

> Yes it can be done on a PIX using the static command (or a global pool if a
> large range is used).  It's going to look a lot like the router config.


And if I had googled well enough the first time I would have found the
specific Cisco document on how to do it - which I did do today, about
5 minutes for another helpful lister sent me the link.

> So you've got "OOB" secondary interfaces of internal AIX servers connected
> to the same network as an internet-facing Windows server?  And you're having
> to make a case for why this is a bad idea?  That sucks for you.  Mostly
> because it means that you're firewall admins don't get it.

Well, let me make sure I'm explaining the best way possible. On DMZ1
are internet facing boxes with routable IPs configured on their NICs
(no NATing). On the DMZ2 interface are those machine's secondary NICs
wth private IPs. The Internet-facing windows machine is also found
there with a private IP - NATted to a public IP.

Yeah...still sucks, no matter how you describe it.

> This is a good idea.  Surely nothing can go wrong with your apathetic
> firewall admins at the helm and the syslog server that nobody wants to
> build.  (Is the sarcasm coming across correctly?  I can never tell in
> e-mail.)

It's pretty loud. :) I'm trying to be THE firewall admin - based on
having just a little more knowledge (perhaps) than the rest of the
team, and at least the inclination to make the network difficult to
get on as opposed to user/admin friendly.

> Anyway, the DoD probably won't be any worse off than it is now.

Apparently this is a pretty rough standard to get to - according to
our one customer that already adheres to it. It's apparently very
expensive since it requires us to duplicate parts of our environment
just for them. It also requires a lot of common sense measures to be
in place, and as it happens, most (if not all of them) have been in
some state of implementation since I got here (or in the case of a
centralized syslog server, had an aborted attempt made). Like I said,
I welcome it. I don't know how well off the DoD is (they should be in
pretty good shape if they adhere to their own guidlines) but its bound
to whip us into shape. Oh, it's called DITSCAP...anyone dealt with it
before?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards