Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Perimeter Defence?

Status
Not open for further replies.
technical1

technical1

Technical User
Sep 2, 2002
52
GB
Hi All,
I was reading the following article on how bad it is to rely on your Firewall (PIX) as a single point of defence.

Would you agree. Im managing a small web farm and rely on my PIX to stop nasty hackers. But it seems that this may not be enough?

Article:

Comments welcomed.

Regards,
Vinay
 
Sort by date Sort by votes
"Defense In Depth," as it is known, is definitely a cornerstone of best security practices. The article is not bad, but the author seems to gloss over a key point:

You need to conduct a Cost-Of-Data study to determine what your needs are, and how much you should spend on security. For example, if your data is worth $100,000, does it make sense to throw $250,000 into a security solution to protect that data? Likewise, a single security point protecting $100,000 in data may also not be a good idea.

That said, you do want to provide as many barriers as you possibly can. The key here is to make yourself look less attractive to hackers than the next site.

What if you have a shoestring budget? Here's a simple and cheap way to provide multiple barriers:

1) Use access-lists on your Internet router to only permit what is absolutely necessary. You'll be surprised how easy it is to cut down on scans and spoofing attacks simply by filtering 127.0.0.1, 20.0.0.0, 172.16.0.0, and 192.168.0.0 from coming in. Add to that only traffic that is permitted and that's a good first barrier.

2) Download the Snort IDS and place it on your Internet segment. The software is free, so all you need is a cheap PC with a bit of disk space.

3) Make the PIX your last barrier.

Now you have two layers a person must break through, and an IDS to detect anything past the first layer. Just doing this will be a step farther than 90 percent of all websites on the Internet.

Just my two cents...
 
Upvote 0 Downvote
Hi,
Another point which the article did not touch on is "application hacking". No firewall or IDS can stop a skilled application hacker. It all occurs over port 80 and would seem as normal traffic. Websites need to be designed with secure code. An example of application hacking is SQL Injection.

Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
122
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
164
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
243
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
109
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
97
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top