securing PIX

v-monte · ‎03-29-2003

Hi everybody,

Just to know if there's some basic tasks necessary to secure a PIX (like we can find on the document "securing routers") or all is OK by default ?

Is the option : access via telnet + tacacs enough secure or is there some potential "security holes"?

Thanks in advance

shannong · ‎03-30-2003

One of my favorite things about a Pix is that it's as secure as it gets with a default config. Everything you do makes it less secure.

As with any system, you can use this equation:

telnet=big security hole

Telnet is in clear-text so it gives away your password and makes MITM attacks so easy.

Instead, you should use ssh or https to manage your firewall. Or even better, don't allow any access to the firewall and connect physically with the console cable. When allowing ssh/https access, allow the access from as few stations as possible.

TACACS+ is a double-edged sword. It can be used for good account policies like complexity, history, min. length, and lockouts. Those are all good things for securing access to the Pix. However, it's also a problem because few people bother to protect their TACACS server. It's not to hard to take advantage of a poorly configured MS machine so that I can add my own account for access to the firewall.

Also, make sure TACACS+ is upgraded to support HTTPS and make sure that only a few stations can access its admin console. Remove the auto-login feature of TACACS+ when accessing locally from the server.

Use layered security. Unless your PATing traffic to the external interface address of the Pix, use an ACL to deny all inbound to the Pixs interface. THe Interent doesn't have a reason to connect to your Pix. If it's terminating VPNS, only allow access to those few ports/protocols as necessary.

Hope this helps....

Shannon

v-monte · ‎03-31-2003

Yes,

Thanks a lot shannon.