[Dshield] Firewall newbie

Mark Tombaugh mtombaugh at alliedcc.com
Thu Dec 18 22:23:39 GMT 2003


Guy,

There are several things to remember when managing a Cisco PIX. 

Managing your ruleset can be a bit of a pain, remember that the PIX will 
process the access-list commands in the order they are entered. access-lists 
that are on top when you run "wr t" will be processed first, so if you have 
deny rules on top of permit rules, the deny rules will take precedence, and 
vice versa. If you use any "deny any any" rules, make sure they are at the 
bottom. Use a text editor to tune your ruleset, then paste to the pix.

Don't use the conduit command. Setup access-groups for inbound and outbound 
and apply your filters to each group.

Don't depend, or even use if possible, the PDM.

When configuring VPNs be very careful when applying crypto rules, "crypto map 
<mapname> interface outside" in particular. If you config remotely, you might 
completely lose connection if the config isnt perfect.

PIX ssh only uses DES AFAIK so to get in, use "ssh -c DES -l pix <ip>".

"show access-list" will give a brief hitcount, hits since last reboot.

Log to a local syslog server to keep up with activity. 
<http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml>
<http://freshmeat.net> has a couple nice utilities that parse PIX logs. MRTGs 
or MRTNKs via SNMP are also useful. Send to DShield from the syslog server.

I am surprised you aren't impressed with Cisco's documentation. Their docs are 
excellent IMHO. eg: <http://www.cisco.com/en/US/products/sw/secursw/ps2120/> 
You will find several install & config guides there, as well as sample configs 
for VPNs, DMZ setups etc. If you get into a major bind and still have access 
to e-mail, drop me a msg off list. 

HTH,

-- 
   Mark Tombaugh <mtombaugh at alliedcc.com>
   Allied Computer Corporation <http://www.alliedcc.com>
   USiHOST, iNC. <http://www.usihost.com>





More information about the list mailing list