[c-nsp] Pix hardening
Church, Chuck
cchurch at netcogov.com
Tue Dec 14 07:58:05 EST 2004
Anyone,
I'm interested in what people are doing to harden PIX installs.
I've got a 506 running 6.3.4. I'm not finding many recommendations on
the 'net for the Pix, unlike IOS. What I've got so far is:
SSH and HTTPS (both 3DES) only allowed from a couple outside
networks/hosts
Telnet not allowed from anywhere
No VPN support configured anywhere
1 NTP server configured on the outside - not using authentication (yet)
Bogon sources filtered via outside ACL, only the 5 services to the
various inside hosts and ICMP (echo-reply,time-exceeded,unreachable) are
allowed in. No logging of the ACLs configured. I find it odd that some
ICMP types (like packet-too-big) aren't configurable in PIX...
Bogon destinations filtered via inside ACL, also blocking all outbound
NetBIOS in case of internal worm infestation...
Unicast RPF checking on both inside and outside ints
Info and attack alarming and dropping enabled for outside interface
All the default xlate and fixup settings are used
no ICMP services are enabled for the outside interface (meaning that I
didn't turn any on, not sure if any are on by default that shouldn't)
Anything else that should be added or changed?
Thanks,
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
More information about the cisco-nsp
mailing list