Home page logo
/

basics logo Security Basics mailing list archives

RE: Protecting PIX Firewall at the Perimeter Router
From: "Paris E. Stone" <paris () archerva com>
Date: Wed, 6 Nov 2002 15:40:54 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How about using SSH instead of telnet for starters?  Then maybe a
two-factor authentication method using AAA, say an RSA server?

- -----Original Message-----
From: John Canty [mailto:John.Canty () Vibro-Meter com]
Sent: Tuesday, November 05, 2002 2:23 PM
To: Naman Latif; security-basics () security-focus com
Subject: RE: Protecting PIX Firewall at the Perimeter Router


I have the same config here 1720 perimeter and pix 515e. The pix can
be
set to receive telnet and pdm from one and only one IP and you can
also
set the interface on which it will see that IP. The router, I am less
familiar with. I believe you may be able to do the same. The only
downside is this gives you limited options on management. I.E. you
can
only use one computer on the inside  network to manage these devices,
or
on the router use the aux port, and on both devices use the console
port. If you are in the field and a device chooses to tank out on you
then you could be in trouble. Multitech and other vendors do sell RAS
servers you could allow it's IP as a telnet friendly IP, but this
also
opens up the possibility of someone dialing into this thing and
messing
things up. Try tossing one of these things on a pbx analog line with
an
extension and you may have a good solution there. Just like anything
else, eliminate needless variables, but keep your options open. Set
up
gates that one must overcome in order to gain access.
//John

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com] 
Sent: Monday, November 04, 2002 8:47 PM
To: security-basics () security-focus com
Subject: Protecting PIX Firewall at the Perimeter Router

Hi All,

I wanted some suggestions\practical experiences for protecting a
Firewall wall at the Perimeter Router Level.

We have a PIX Firewall connected to our Cisco Router, which is
connected
to the Internet. Should there be any IOS Firewall Rules in the
Router,
other than blocking Telnet,FTP etc to the Firewall itself ?

PIX will be doing NAT, protecting DMZ machines, and IPSec
connections.

Regards \\ Naman

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: http://www.parisstone.com/

iQA/AwUBPcl+V/2j5dDsq7N3EQLxeQCgvlYlc37kadEI8yslLP5ScvBy+LMAoKzb
CS102oKVB/KfQYhiu3mLJ/A+
=niTj
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault