[c-nsp] Pix hardening

Brant I. Stevens branto at branto.com
Tue Dec 14 09:22:38 EST 2004 

I've added a "blocked-hosts" object group to the first ACE that blocks all
traffic.  Very handy for blocking hosts on a temporary basis (crawlers that
don't respect robots.txt, etc.)

That smtp fixup may bite you in the ass...  I'd turn it off, if you want
mail to work, that is... ;)


On 12/14/2004 07:58 AM, "Church, Chuck" <cchurch at netcogov.com> wrote:

> Anyone,
>  
>     I'm interested in what people are doing to harden PIX installs.
> I've got a 506 running 6.3.4.  I'm not finding many recommendations on
> the 'net for the Pix, unlike IOS.  What I've got so far is:
>  
> SSH and HTTPS (both 3DES) only allowed from a couple outside
> networks/hosts
>  
> Telnet not allowed from anywhere
>  
> No VPN support configured anywhere
>  
> 1 NTP server configured on the outside - not using authentication (yet)
>  
> Bogon sources filtered via outside ACL, only the 5 services to the
> various inside hosts and ICMP (echo-reply,time-exceeded,unreachable) are
> allowed in.  No logging of the ACLs configured.  I find it odd that some
> ICMP types (like packet-too-big) aren't configurable in PIX...
>  
> Bogon destinations filtered via inside ACL, also blocking all outbound
> NetBIOS in case of internal worm infestation...
>  
> Unicast RPF checking on both inside and outside ints
>  
> Info and attack  alarming and dropping enabled for outside interface
>  
> All the default xlate and fixup settings are used
>  
> no ICMP services are enabled for the outside interface (meaning that I
> didn't turn any on, not sure if any are on by default that shouldn't)
>  
> Anything else that should be added or changed?
>  
> Thanks,
> 
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation Team
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
> 
>  
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list