I have been looking for a good "article" on access-list's and have not found one. I have taken over as an SA and have a PIX515R. They setup NO access-lists and let all traffic though..so basically it is a sitting waste of money right?! I put on the SANS recommended list of anti-spoofing access-list's but I am looking for more. I have real world IP's on my "inside" network and went to and have them show me how secure my system is..ha. So basically I want to lock down the inside but still be able to surf the net and do other things we need. I setup an access list restricting some flow and seem to lock everyone out. Any suggestions?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Access-list's
- Thread starter CMASPE
- Start date
CMASPE,
So by default the PIX runs the ASA (Adaptive Security Algorithm). That says that by default any connection originating inside is allowed out and no connections originating outside are allowed in.
If you are using public IPs on your network you probably have the PIX configured for "nat 0" or no NAT. ASA is still running.
The PIX also has an RFC 2267 filter. You should probably turn that on rather than write those ACLs.
Otherwise what you do on your PIX should depend on your corporate security policy. That would define what users are allowed and not allowed to do on the Internet connection. Sounds like you'll need to create that. No?
Liberty for All,
Brian
So by default the PIX runs the ASA (Adaptive Security Algorithm). That says that by default any connection originating inside is allowed out and no connections originating outside are allowed in.
If you are using public IPs on your network you probably have the PIX configured for "nat 0" or no NAT. ASA is still running.
The PIX also has an RFC 2267 filter. You should probably turn that on rather than write those ACLs.
Otherwise what you do on your PIX should depend on your corporate security policy. That would define what users are allowed and not allowed to do on the Internet connection. Sounds like you'll need to create that. No?
Liberty for All,
Brian
- Thread starter
- #3
Brian,
I follow all of that logic and agree but take a look at the current config. There is no nat (0) statement. Inbound connections ARE allowed to get in. My programmer tells me he has his wks hard drive mapped at home. He gets an NT challenge but boo hoo someone could ge tpast that. I put the anti=spoofing on the router Serial int so I am cool there. I want to limit who can get in to my network and use the PIX to the fullest. Could you take a sec and look at my current config(which I have no touched except to limit the telnet access) Any comments and sugg. would be great. I mean should I leave the current config and put it the nat statement or redo the config and NAT the inside address to make it more secure.
PIX Version 5.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
enable password KD5yTHD9ywYo32ZI encrypted
passwd b6ZsBGZIV.tPUUgC encrypted
hostname ensync
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no names
access-list 1 permit ip any any
access-list 1 permit icmp any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside XX.XX.XX.XX 255.255.255.252
ip address inside XX.XX.XX.X 255.255.255.224
ip address dmz1 XX.XX.XX.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
static (inside,outside) XX.XX.XX.2 XX.XX.XX.2 netmask 255.255.255.255 0 0
(All the rest of the inside Ip's )
static (dmz1,outside) XX.XX.XX.1 XX.XX.XX.1 netmask 255.255.255.255 0 0
(all the rest of the DMZ Ip's)
access-group 1 in interface outside
conduit permit tcp any any
conduit permit icmp any any
established tcp 0 0 permitto tcp 0 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet XX.XX.XX.XX 255.255.255.255 dmz1
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:7845c387b8d8e889b9302e6639666725
: end
I follow all of that logic and agree but take a look at the current config. There is no nat (0) statement. Inbound connections ARE allowed to get in. My programmer tells me he has his wks hard drive mapped at home. He gets an NT challenge but boo hoo someone could ge tpast that. I put the anti=spoofing on the router Serial int so I am cool there. I want to limit who can get in to my network and use the PIX to the fullest. Could you take a sec and look at my current config(which I have no touched except to limit the telnet access) Any comments and sugg. would be great. I mean should I leave the current config and put it the nat statement or redo the config and NAT the inside address to make it more secure.
PIX Version 5.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
enable password KD5yTHD9ywYo32ZI encrypted
passwd b6ZsBGZIV.tPUUgC encrypted
hostname ensync
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no names
access-list 1 permit ip any any
access-list 1 permit icmp any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside XX.XX.XX.XX 255.255.255.252
ip address inside XX.XX.XX.X 255.255.255.224
ip address dmz1 XX.XX.XX.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
static (inside,outside) XX.XX.XX.2 XX.XX.XX.2 netmask 255.255.255.255 0 0
(All the rest of the inside Ip's )
static (dmz1,outside) XX.XX.XX.1 XX.XX.XX.1 netmask 255.255.255.255 0 0
(all the rest of the DMZ Ip's)
access-group 1 in interface outside
conduit permit tcp any any
conduit permit icmp any any
established tcp 0 0 permitto tcp 0 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet XX.XX.XX.XX 255.255.255.255 inside
telnet XX.XX.XX.XX 255.255.255.255 dmz1
telnet timeout 60
ssh timeout 5
terminal width 80
Cryptochecksum:7845c387b8d8e889b9302e6639666725
: end
CMASPE,
Big Red Flag!
conduit permit tcp any any
conduit permit icmp any any
This means that your PIX is wide open for TCP and ICMP traffic coming from anywhere on the Internet going into and out of your site. That's a wide open security policy. It allows all ports through.
Liberty for All,
Brian
Big Red Flag!
conduit permit tcp any any
conduit permit icmp any any
This means that your PIX is wide open for TCP and ICMP traffic coming from anywhere on the Internet going into and out of your site. That's a wide open security policy. It allows all ports through.
Liberty for All,
Brian
HI.
The access-list commands are also wide open.
Some one before you had problems configuring the PIX, so for troubleshooting he oppened all ports, then left them so.
My suggestion - reconfig the pix as soon as posible.
Even if it will stop internet access for your company for some time.
Use of nat 0 seems to me more logic then the static command.
You can also use normal NAT/PAT to hide private network addresses, even if your workstations have registered IP addresses, unless you have a reason not to.
For internal/dmz servers (only) that need to be accesses from outside, create a static mapping and access-list for specific open ports like 25.
At first, leave the default ASA logic as is - let outbound connections go free, but block inbound connections except specific host/port access.
Later if you wish you can start playing with outbound connection which are less risky then your current "transparent" firehole.
Bye
Yizhar Hurwitz
The access-list commands are also wide open.
Some one before you had problems configuring the PIX, so for troubleshooting he oppened all ports, then left them so.
My suggestion - reconfig the pix as soon as posible.
Even if it will stop internet access for your company for some time.
Use of nat 0 seems to me more logic then the static command.
You can also use normal NAT/PAT to hide private network addresses, even if your workstations have registered IP addresses, unless you have a reason not to.
For internal/dmz servers (only) that need to be accesses from outside, create a static mapping and access-list for specific open ports like 25.
At first, leave the default ASA logic as is - let outbound connections go free, but block inbound connections except specific host/port access.
Later if you wish you can start playing with outbound connection which are less risky then your current "transparent" firehole.
Bye
Yizhar Hurwitz
- Thread starter
- #6
CMASPE,
Your starting config is SO open that I (pretty much a PIX novice) have to wonder whether it was intentional--if there was ill will perhaps just to let any malicious person who found it create havoc. It's not hard to write a conduit or acl that limits the most dangerous stuff. If I were you I'd be looking for possible back doors and other security issues in the system.
Peter
Your starting config is SO open that I (pretty much a PIX novice) have to wonder whether it was intentional--if there was ill will perhaps just to let any malicious person who found it create havoc. It's not hard to write a conduit or acl that limits the most dangerous stuff. If I were you I'd be looking for possible back doors and other security issues in the system.
Peter
Guest_imported
New member
- Jan 1, 1970
- 0
- 0
- 0
This is an old thread so I'm not sure if this will get to you CMASPE. Aside from the obvious TCP/ICMP - your SNMP community string is "public". You should change this to something other than the default, and make it much more cryptic.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question