mailing list archives
RE: PIX Question
From: "John Canty" <John.Canty () Vibro-Meter com>
Date: Sun, 17 Nov 2002 14:53:09 -0500
Believe it or not, this does seem pretty rock solid advice. So the next
question would be what steps would one take to protect the perimeter
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]
Sent: Thursday, November 14, 2002 8:24 AM
To: naman.latif () inamed com
Cc: security-basics () securityfocus com
Subject: PIX Question
You need no protection. The PIX will withstand what is put against it.
All the advice you are receiving about BDS fw, IOS FW and the like
address your specific need.
Key being. You are terminating IPSEC. You put another FW in front and
risk losing the IPSEC.
I work with PIX daily. It needs no protection.
As far at telnet (you cannot telnet to the outside of a PIX- impossible)
Set up access via the command: http <host_IP_address> 255.255.255.255
for each host you want to have access from.
Better yet, open none of that and VPN to the PIX and then use
telnet/ssh/pdm from inside the VPN tunnel.
Don't run CBAC unless you have a 3600 series router or above.
If you really want protection that the PIX does not provide, get your
to limit the ICMP traffic to a max of 20 % of incoming traffic. help
protect against DDOS
Got questions, email me offline
Sent: Monday, November 04, 2002 8:47 PM
To: security-basics () security-focus com
Subject: Protecting PIX Firewall at the Perimeter Router
I wanted some suggestions\practical experiences for protecting a
Firewall wall at the Perimeter Router Level.
We have a PIX Firewall connected to our Cisco Router, which is
connected to the Internet. Should there be any IOS Firewall Rules in
the Router, other than blocking Telnet,FTP etc to the Firewall itself
PIX will be doing NAT, protecting DMZ machines, and IPSec
Regards \\ Naman
- PIX Question jamesworld (Nov 15)
- <Possible follow-ups>
- RE: PIX Question John Canty (Nov 19)