Home page logo

basics logo Security Basics mailing list archives

RE: Protecting PIX Firewall at the Perimeter Router
From: "Vik Evans" <vik () packeteye com>
Date: Sat, 9 Nov 2002 12:21:43 -0700

The information John has in his messages is not entirely correct (no offense
intended) -

The PIX can only accept telnet on the inside interface. You can configure
outside telnet, however the PIX is designed to only allow ssh on the outside
interface and will drop telnet automatically, even if you have configured it
on the outside interface. Secondly, you can configure an internal network to
telnet to the PIX; you are not limited to just a single ip address. I
believe you are limited to a single IP for the PDM,  but not for telnet.

With regards to securing you perimeter router, assuming you do not have the
firewall IOS on it, there are some common best practices:

        * disable all unnecessary services, as follows:
                - no ip bootp server
                - no service finger
                - no ip http server
                - no cdp enable (can be done on the external interface only, so that you
still have functionality on the internal network)
                - no service config (disables remote configuration; preference)
                - no ip source-route
                - no ip classless
        * General securing of interfaces can include:
                - shutdown (disable unused interfaces)
                - no ip directed-broadcast (protection from smurf attacks)
                - no ip proxy-arp (protection from ad-hoc routing)
        * Encrypt your passwords and ensure all methods of access have passwords -
including lines vty 5 15 (commonly ignored or missed)
        * Learn and become fluent with the use of ACL's - your best method of
defense. Make sure you do not allow access from RFC 1918 addresses
(private), which will protect against spoofing, etc.

These are just a few, common practices which will require one's own tweaking
for their own environment.


-----Original Message-----
From: Adam Maxwell [mailto:netrunner () sneakers-inc net]
Sent: Wednesday, November 06, 2002 12:41 PM
To: security-basics () security-focus com
Subject: RE: Protecting PIX Firewall at the Perimeter Router


The Cisco routers are based on the same IOS as the pix firewall.  You
can set ACL's for management on the Cisco routers, for the interfaces
and the console ports.

- -----Original Message-----
From: John Canty [mailto:John.Canty () Vibro-Meter com]
Sent: 05 November 2002 19:23
To: Naman Latif; security-basics () security-focus com
Subject: RE: Protecting PIX Firewall at the Perimeter Router

I have the same config here 1720 perimeter and pix 515e. The pix can
be set to receive telnet and pdm from one and only one IP and you can
also set the interface on which it will see that IP. The router, I am
less familiar with. I believe you may be able to do the same. The
only downside is this gives you limited options on management. I.E.
you can only use one computer on the inside  network to manage these
devices, or on the router use the aux port, and on both devices use
the console port. If you are in the field and a device chooses to
tank out on you then you could be in trouble. Multitech and other
vendors do sell RAS servers you could allow it's IP as a telnet
friendly IP, but this also opens up the possibility of someone
dialing into this thing and messing things up. Try tossing one of
these things on a pbx analog line with an extension and you may have
a good solution there. Just like anything else, eliminate needless
variables, but keep your options open. Set up gates that one must
overcome in order to gain access. //John

- -----Original Message-----
From: Naman Latif [mailto:naman.latif () inamed com]
Sent: Monday, November 04, 2002 8:47 PM
To: security-basics () security-focus com
Subject: Protecting PIX Firewall at the Perimeter Router

Hi All,

I wanted some suggestions\practical experiences for protecting a
Firewall wall at the Perimeter Router Level.

We have a PIX Firewall connected to our Cisco Router, which is
connected to the Internet. Should there be any IOS Firewall Rules in
the Router, other than blocking Telnet,FTP etc to the Firewall itself

PIX will be doing NAT, protecting DMZ machines, and IPSec

Regards \\ Naman

Version: PGP Personal Security 7.0.3


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]