pix 515 vpn secrity question

[fpower]

Hi,

I am new to cisco and need some guidance.
I have set up VPN access using my cisco pix 515, cisco client 3.51 and authenticating to an IAS server, (also a DC), in my private network. Everything works fine, but a consultant came in and said it should be more secure but gave no opinion on how to do it. My boss now wants it more secure.
Any ideas of what I can do?
here is my config..
Thanks in advance

access-list 100 permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0
nat (dmz) 0 access-list 100

aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.1.0.10 255.255.255.255 password timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynmaic dynmap
crypto map client authentication partnetauth
crypto map mymap interface outside

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ip local pool vpnpool 10.0.10.1-10.0.10.254
vpngroup my-vpn-group address-pool vpnpool
vpngroup my-vpn-group DNS-SERVER 10.0.10.11
vpngroup my-vpn-group WINS-SERVER 10.0.10.11
vpngroup my-vpn-group IDLE-TIME 1800
vpngroup my-vpn-group default-domain my-domain.com
VPNGROUP MY-VPN-GROUP password xxxxxxxx

 

[dx1]

A couple of things I can think of such as sha instead of md5, 3des instead of des and using digital certs instead of pre-share.
Using these will add a little overhead also.

 

[bwilliam13]

Your definition of secure is too ambiguous at this point to know what you mean. You need a definite security policy to define what your ideology of *security* is.

What I would change:

3des would be the most obvious thing. That requires an additional license on the PIX. Digital certs are more of a hassle than anything else. I would never use them for authentication into a network...only into a specific machine. Pre-shared key is fine. You still have to have a login id and password to authenticate to the Radius/IAS server. Digital cert won't give you anything except more administrative overhead.

I find that most organizations have a ruleset on their PIX to let EVERYTHING go out, and almost nothing come in. If you want to restrict that a little more, I'd go right down to protocol by protocol of what you want allowed going out. For my company, it's about 4-5 protocols: http, https, ssh, citrix-ica, pptp, and ftp. In addition to the PIX, we also have a content filter (SurfControl) running in front of our firewall that will filter traffic based on several different kinds of rulesets.

Back to the VPN setup, I'd also create different VPN groups for different classifications of users. Example, in my company, we have basically 3 groups: sales, customer services, development. We have 3+ VPN groups for all those users. Sales get access to the web servers and some other stuff. Customer service gets access to web servers, some internal documents on a couple servers. Development gets access to our CVS and web servers. This can all be controlled by access lists on the PIX. Depending on which VPN group you give those users access to determines what machines they can connect to once VPN authentication is successful.

Again, I think you need to go back and define specifically what your particular security policy is.