[Dshield] Firewall newbie
mtombaugh at alliedcc.com
Thu Dec 18 22:23:39 GMT 2003
There are several things to remember when managing a Cisco PIX.
Managing your ruleset can be a bit of a pain, remember that the PIX will
process the access-list commands in the order they are entered. access-lists
that are on top when you run "wr t" will be processed first, so if you have
deny rules on top of permit rules, the deny rules will take precedence, and
vice versa. If you use any "deny any any" rules, make sure they are at the
bottom. Use a text editor to tune your ruleset, then paste to the pix.
Don't use the conduit command. Setup access-groups for inbound and outbound
and apply your filters to each group.
Don't depend, or even use if possible, the PDM.
When configuring VPNs be very careful when applying crypto rules, "crypto map
<mapname> interface outside" in particular. If you config remotely, you might
completely lose connection if the config isnt perfect.
PIX ssh only uses DES AFAIK so to get in, use "ssh -c DES -l pix <ip>".
"show access-list" will give a brief hitcount, hits since last reboot.
Log to a local syslog server to keep up with activity.
<http://freshmeat.net> has a couple nice utilities that parse PIX logs. MRTGs
or MRTNKs via SNMP are also useful. Send to DShield from the syslog server.
I am surprised you aren't impressed with Cisco's documentation. Their docs are
excellent IMHO. eg: <http://www.cisco.com/en/US/products/sw/secursw/ps2120/>
You will find several install & config guides there, as well as sample configs
for VPNs, DMZ setups etc. If you get into a major bind and still have access
to e-mail, drop me a msg off list.
Mark Tombaugh <mtombaugh at alliedcc.com>
Allied Computer Corporation <http://www.alliedcc.com>
USiHOST, iNC. <http://www.usihost.com>
More information about the list