by David Davis, CCIE, MCSE
Version 1.0
March 2, 2005
You may be thinking, “Shouldn’t a firewall be locked down by default?” Well, to some degree this is true, but not completely. Here are 10 steps to ensure your PIX Firewall is as secure as it can be.
1. Password protect it – By default, the Cisco PIX has no password on the console. If you configure Telnet access to the PIX, the default password is "cisco." You should set a strong password for both the console and the Telnet interface. Make sure you choose a complex password (containing uppercase and lowercase letters, numbers, and special characters).
2. Know your access-lists – Having a firewall is all about permitting the “good” traffic through the firewall and denying the “bad” traffic from reaching the internal network. Access-lists are preferred over the conduit methods that were used in the past. However, one syntax mistake in an access-list and all the bad traffic can come in. As a firewall administrator, you need to know and understand every element in the access-lists on each Cisco PIX Firewall you manage.
3. Log denials and errors – So that you have a record of what traffic is being blocked by your firewall, you should log denials, attempted intrusions, and errors. This logging should go to a syslog server so that it can be archived and stored off of the PIX. For more information on sending PIX logging to syslog, see this link. Also, you should enable Network Time Protocol (NTP) on the PIX so that the clock is always current, which will ensure that the timestamp/datestamp on your log entries is also correct.
4. Use SSH in place of Telnet – With Telnet, the username and password used to log in are sent in clear-text (unencrypted). Thus, with Telnet, the password used to log in to the PIX can be sniffed over the network. You should use SSH instead of Telnet so that the password (and all other commands) are encrypted. Here's a link on using SSH for remote system management. Another option is to set up the PIX as a VPN server, use VPN to connect to the PIX (forming an encrypted tunnel), and then use Telnet to connect through the tunnel.
5. Understand the ASA – At the heart of the PIX Firewall is the Adaptive Security Algorithm (ASA). As a firewall administrator, you must understand the methodology of how the ASA works. Without this knowledge, you could mistakenly allow full access to your private network or disable access to critical business applications. For more information about the ASA, check out this Cisco link.
6. Enable optional security features – A Cisco PIX Firewall has a long list of optional features to make your network more secure. These features include Unicast Reverse Path Forwarding, MailGuard, FloodGuard, FragGuard, and URL Filtering. You can read more about them here.
7. Keep the PIX OS and PDM patched – As with any operating system or application, there will always be new vulnerabilities found in the PIX Firewall, even though it is essentially an appliance. On a PIX Firewall, there are usually two separate binaries to keep updated. The PIX OS is the first one. The file for the PIX OS is named something like pix634.bin. The optional piece is the PIX Device Manager (PDM), and it must be upgraded separately. Its file is named something like pdm-302.bin. Cisco PIX OS software is available to registered CCO users at this link.
8. Back up your configuration – Once you make all your configurations to the PIX, you need to back it up in a secure place off of the PIX. This is a precaution in case the PIX has a hardware failure. To do this, use the tftp-server command to tell the PIX which TFTP server that the backup file will be stored on. Then use the write net command to store the configuration on the TFTP server. You can set up a simple TFTP server on a Windows or Linux/UNIX system, or you can use Cisco's TFTP software. This link can help.
9. Use secure encryption – You can purchase different models of PIX Firewalls. Some come with no encryption, some have 56-bit DES encryption, and some have 3DES/AES encryption. However, no matter which model you bought, I recommend that you upgrade to the highest level of encryption possible. If you have no encryption, you can get a free license for DES 56-bit encryption from this link. You can upgrade to 3DES/AES encryption by contacting a Cisco reseller. If your PIX came with 3DES/AES encryption, you still have to register it to use it. You can also register it here. To see what encryption you currently have enabled, do a show version on your PIX.
10. Know your network – You should baseline your network so that you know what a “normal” traffic load looks like. By determining what's normal and monitoring your network, you will know what is abnormal. A good tool for baselining and monitoring is PRTG. PRTG works via SNMP and can monitor and graph the traffic flowing through a Cisco PIX. Here is a TechRepublic article on PRTG. Here is a Cisco help document on SNMP configuration with Cisco PIX.
David Davis manages a group of systems/network administrators for a privately owned retail company. He also does networking/systems consulting on a part-time basis. His certifications include: IBM Certified Professional-AIX Support, MCSE+Internet, Sun Certified Solaris Admin (SCSA), Certified Information Systems Security Professional (CISSP), Cisco CCNA, CCDA, and CCNP. He is also Cisco CCIE #9369.
Additional resourcesx
• Sign up for the Cisco Routers and Switches newsletter, delivered on Wednesdays
• See all of TechRepublic's newsletter offerings
• Cisco documentation on configuring a Cisco PIX Firewall (Cisco Systems)
• "Configure a Cisco PIX firewall and select a topology" (TechRepublic)
• "Monitor a PIX firewall with a syslog server" (TechProGuild)
• "Decipher the Cisco PIX log files" (TechProGuild)
No comments:
Post a Comment