Firewall Wizards mailing list archives
Re: VPNs on PIX
From: "Brian Loe" <knobdy () gmail com>
Date: Mon, 20 Feb 2006 16:52:20 -0600
On 2/20/06, Paul Melson <pmelson () gmail com> wrote:
Not that you asked, but this is "A Bad Idea(tm)" and is all too common where PIX firewalls are concerned (because of the all-too-commonly-used 'sysopt connection permit-ipsec'). Remember, every time you do this, you accept risk that you cannot manage. I've never seen a setup that actually needed to be that way. I honestly don't know why that command even exists.
Which part, specifically, are you addressing here - allowing their entire network to access ours? A quick google of that command comes back with a lot of info on VPN software client connections (which we use concentrators for).
Yes it can be done on a PIX using the static command (or a global pool if a large range is used). It's going to look a lot like the router config.
And if I had googled well enough the first time I would have found the specific Cisco document on how to do it - which I did do today, about 5 minutes for another helpful lister sent me the link.
So you've got "OOB" secondary interfaces of internal AIX servers connected to the same network as an internet-facing Windows server? And you're having to make a case for why this is a bad idea? That sucks for you. Mostly because it means that you're firewall admins don't get it.
Well, let me make sure I'm explaining the best way possible. On DMZ1 are internet facing boxes with routable IPs configured on their NICs (no NATing). On the DMZ2 interface are those machine's secondary NICs wth private IPs. The Internet-facing windows machine is also found there with a private IP - NATted to a public IP. Yeah...still sucks, no matter how you describe it.
This is a good idea. Surely nothing can go wrong with your apathetic firewall admins at the helm and the syslog server that nobody wants to build. (Is the sarcasm coming across correctly? I can never tell in e-mail.)
It's pretty loud. :) I'm trying to be THE firewall admin - based on having just a little more knowledge (perhaps) than the rest of the team, and at least the inclination to make the network difficult to get on as opposed to user/admin friendly.
Anyway, the DoD probably won't be any worse off than it is now.
Apparently this is a pretty rough standard to get to - according to our one customer that already adheres to it. It's apparently very expensive since it requires us to duplicate parts of our environment just for them. It also requires a lot of common sense measures to be in place, and as it happens, most (if not all of them) have been in some state of implementation since I got here (or in the case of a centralized syslog server, had an aborted attempt made). Like I said, I welcome it. I don't know how well off the DoD is (they should be in pretty good shape if they adhere to their own guidlines) but its bound to whip us into shape. Oh, it's called DITSCAP...anyone dealt with it before? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPNs on PIX Brian Loe (Feb 20)
- RE: VPNs on PIX Paul Melson (Feb 23)
- Re: VPNs on PIX Brian Loe (Feb 23)
- RE: VPNs on PIX Paul Melson (Feb 23)