Re: VPN Server PIX515E

karl.jones · ‎01-15-2003

Hi All

I am a routing and switching guy, trying to break into security ... so please forgive the novice questions. I am tasked with preparing a vpn solution by early next week, to present to our manager. Preventing our network from malicous attacks is essential, so I have to get my facts right.

We currently have to checkpoint firewalls in running hot standby failover (not managed by our team). What I would like to do is possibly sit a pix 515e next to these, to handle purely vpn connectivity. I am slightly biased and cisco thru and thru, but my reasons for wanting to implement this are so that we can intergrate our routing ideas into vpn solutions more easily rather than pay for costly frame circuits etc. I also feel that the pix will have a lot to offer and probably have a lot of benefits over Checkpoint, noteably performance. The checkpoints would stay to handle internet connectivity to web server etc.

Q. If I implement this, and open only the ports up required to create a tunnel from the web using 3des (use this as a dedicated vpn server), and authenticate dynamic vpn connections for users using the cisco secure acs in conjunction with rsa ID's, on an internal server, is there any known way of breaching the pix and breaking into out internal lan.

If I implement pix-to-pix between to sites, opening only the relavant ports to establish the vpn, are there any potential security issues here. Can I integrate the pix into this.

Has anyone got a page that go's thru pro's and con's pix vs checkpoint for vpn,

I am currently gathering a lot of information but any advice and guidance would be very much appreciated.

Sorry for the long post.

Best Regards

jfrahim · ‎01-15-2003

Hi there,

Please see my inline answers:

Q. If I implement this, and open only the ports up required to create a tunnel from the web using 3des (use this as a dedicated vpn server), and authenticate dynamic vpn connections for users using the cisco secure acs in conjunction with rsa ID's, on an internal server, is there any known way of breaching the pix and breaking into out internal lan.

Jazib>> no known issues

If I implement pix-to-pix between to sites, opening only the relavant ports to establish the vpn, are there any potential security issues here. Can I integrate the pix into this.

Jazib >> not known issues, and yes, you should be able to integrate pix into the pix-pix vpn setup

Has anyone got a page that go's thru pro's and con's pix vs checkpoint for vpn,

Jazib >> I'll let someone else answer that :~)

karl.jones · ‎01-15-2003

Hi Jazib

Thanks for your answers, am I right in thinking then that if we are doing dedicated vpn on the pix box, the only way in is with the correct authentication details (pix-to-vpn client), and similar again pix-to-pix.

Could I run this by you ...

How secure is the cisco vpn client software 3.6, if I run this at home on my pc connecting to my dsl connection, will it act as a firewall or would I need to sit something (FW) in front of the pc. If it is secure and I tick the option that will allow me to browse the web whilst connecting to work thru my tunnel, would I still be protected from the web. Is there any way a hacker could possibly break into the pc with the cisco vpn client software on and then shoot off back down the tunnel, exposing your work lan.

Thanks again for your assistance, it is much appreciated.

gfullage · ‎01-15-2003

If you're interested in putting in a device purely for VPN connections, I would recommend putting in a VPN3000 concentrator rather than a PIX. Both devices will terminate VPN connections from clients, but the VPN concentrator has addittional features that the PIX doesn't currently support, including IPSec over TCP or UDP for connecting through NAT devices, and the ability to push down firewall configurations to the client.

To answer your questions though, yes the only way in would be with the correct authentication details, and using RSA or some other one-time password mechanism is a very good idea.

The client is very secure and comes with it's own built in firewall nowadays. You can set it up to only allow outgoing connections, meaning no-one from the Internet will be able to connect to your PCand take it over or plant a trojan or anything like that. With the VPN concentrator you can push down firewall policies to the client when they connect allowing very restrictive policies to be defined (you can't do this with the PIX currently). If you don't do split tunneling, then basically when you're tunnel is established no-one has connectivity to your PC anyway unless they come in over the tunnel that you have established, which is impossible for them to do unless they're on your corporate network.

karl.jones · ‎01-16-2003

Hi Glenn

Thanks for your detailed reply

I have a Q on 3DES, is this encryption strong enough to protect your data, we have some very private data that we would not want eventually decoding if the packets were could by a sniffer on the web. If you can decide it, how long and what would it take.

Regards