Home page logo

basics logo Security Basics mailing list archives

RE: Protecting PIX Firewall at the Perimeter Router
From: "Paris E. Stone" <paris () archerva com>
Date: Wed, 6 Nov 2002 15:40:54 -0500

Hash: SHA1

How about using SSH instead of telnet for starters?  Then maybe a
two-factor authentication method using AAA, say an RSA server?

- -----Original Message-----
From: John Canty [mailto:John.Canty () Vibro-Meter com]
Sent: Tuesday, November 05, 2002 2:23 PM
To: Naman Latif; security-basics () security-focus com
Subject: RE: Protecting PIX Firewall at the Perimeter Router

I have the same config here 1720 perimeter and pix 515e. The pix can
set to receive telnet and pdm from one and only one IP and you can
set the interface on which it will see that IP. The router, I am less
familiar with. I believe you may be able to do the same. The only
downside is this gives you limited options on management. I.E. you
only use one computer on the inside  network to manage these devices,
on the router use the aux port, and on both devices use the console
port. If you are in the field and a device chooses to tank out on you
then you could be in trouble. Multitech and other vendors do sell RAS
servers you could allow it's IP as a telnet friendly IP, but this
opens up the possibility of someone dialing into this thing and
things up. Try tossing one of these things on a pbx analog line with
extension and you may have a good solution there. Just like anything
else, eliminate needless variables, but keep your options open. Set
gates that one must overcome in order to gain access.

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Monday, November 04, 2002 8:47 PM
To: security-basics () security-focus com
Subject: Protecting PIX Firewall at the Perimeter Router

Hi All,

I wanted some suggestions\practical experiences for protecting a
Firewall wall at the Perimeter Router Level.

We have a PIX Firewall connected to our Cisco Router, which is
to the Internet. Should there be any IOS Firewall Rules in the
other than blocking Telnet,FTP etc to the Firewall itself ?

PIX will be doing NAT, protecting DMZ machines, and IPSec

Regards \\ Naman

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: http://www.parisstone.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]