I need some advice from some people that actually have live systems

[ForumKid]

Hi,
My question is. I have my pix firewall. Its configured tightly. Only allowing port 80 and port 25 to come in. I have implemented egress filtering on the inside interface as well as the dmz interface. Its running IDS. Should I bother going crazy with iptables scripts on my server? The pix is very smart and with access-lists I control everything. I have implemented many security procedures on my servers and I only run the processes that i need, but do i need the software firewall? If I start implementing the rules on my pix to iptables on my server, isnt that doubling up? So if i were to double up I think that would be a waste. And that would mean that i dont trust my pix.

Maybe some people can shed some light on this for me.
Thanks

 

[jason1321]

Don't worry, your pix won't get it's feelings hurt. Personally, I not only have firewalls in place, but two different vendors NIDS, some software firewalls and HIDS. The Pix is pretty good at not letting things through that other firewalls will let sail right through (see smtp fixup command), but it is not perfect. You should always think of your servers as wide open to whatever your letting through the firewall. I quite often see my server people having to rebuild web servers because someone didn't patch correctly or in a timely fashion. Doubling up is always smart. Triple up if you can.....

 

[dchp]

Don't forget your internal users. They can be the most dangerous, and your pix will not be of much help as they are inside your network....