Is this pix secure?

[pmandra]

Hi,
I've been told by a third-party vendor that my pix is not secure...since I am not too familiar with th e pix, can you please check my config? (I 'x'ed out the specifics).
Thanks!!

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd JLxfd8kTmoikuP.G encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside My.Network.Environment.Work 255.255.255.224
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x
global (outside) 1 x.x.x.x
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit tcp any any eq pcanywhere-data
conduit permit udp any any eq pcanywhere-status
conduit permit tcp any any eq telnet
conduit permit udp any any eq 23
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto-map mymap 10 ipsec-isakmp dynamic dynmap
crytpo map mymap interface outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.1.2
vpngroup vpn3000 wins-server 192.168.1.2
vpngroup vpn3000 default-domain x.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password password
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:1b3ce9a6d3182abe4093d987b07c6271

 

[ChrisAC]

If you had statics set up then yes, it would be insecure. However, you don't have any so I'm not sure why you have conduits set up.

You also allow telnet access to the firewall from anywhere on your inside network. This really should be tied down to hosts that need management access and really ssh would be better and more secure.

Also your SNMP community is 'public'. Bad idea!

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[colinT23]

Hi Chris,

If this guy hasn't any SNMP stations setup, why is 'Public' a bad idea ?

Regards Colin.

 

[ChrisAC]

He has the command "snmp-server community public" in his config so the Pix is open to SNMP queries using the 'public' string. It's nothing to do with SNMP on servers behind the pix, it's SNMP TO the pix.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[colinT23]

Hi Chris,

Thanks for that but now I am confused ! Nearly all the configs I see on this site has 'snmp-server community public' in. What is your advice on this?

Regards Colin.

 

[ChrisAC]

Firstly, if you are not using SNMP don't have an snmp community string configured (no snmp-server community public). If you are going to use SNMP make the community string something a bit more cryptic than "public". Also use ACL's to prevent unauthorised SNMP queries to the firewall. Only allowed designated management IP addresses.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[sbaldwin22]

I wouldn't use "des" as an encryption scheme for your vpn connections. I would setup "3des" is a minimum and also configure "aes".

I would change your config to look like this:

crypto ipsec transform-set myset esp-3des esp-md5-hmac (<-- changed)
crypto ipsec transform-set myset2 esp-aes esp-sha-hmac (<-- new)
crypto dynamic-map dynmap 10 set transform-set myset2 myset (<-- changed)
crypto-map mymap 10 ipsec-isakmp dynamic dynmap
crytpo map mymap interface outside
isakmp policy 5 authentication pre-share (<--new)
isakmp policy 5 encryption aes (<-- new)
isakmp policy 5 hash sha (<-- new)
isakmp policy 5 group 2 (<-- new)
isakmp policy 5 lifetime 28800 (<-- new)
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des (<--changed)
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800 (<--changed)

Get rid of the "conduit" commands, you should use the vpn client connections to gain access to PC Anywhere or telnet. You're going to want to setup some access lists for your vpn client connections and only allow traffic to devices as needed.

 

[karmic]

hrmm... i'm no pix expert but I see an access-list and it's not bound to an access group?

What is the role of the pix? Is it supposed to protect a different subnet with internet access? If so, there's no outbound restrictions either.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[ChrisAC]

Karmic,

The purpose of that access list is to match traffic for the 'no nat' config. ie. Do not perform NAT between VPN encryption domain (or to be more accurate, NAT to the same IP address).

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list 101

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[karmic]

whoops, my bad... missed that point entirely.

~ K.I.S.S - Don't make it any more complex than it has to be ~