[c-nsp] Pix hardening

Brian Turnbow b.turnbow at twt.it
Tue Dec 14 12:21:41 EST 2004 

It's a good idea to set connection limits on the static command to limit outside nat connections, you can set max and "embryonic" in handshaking phase limits.
It's a bit of a pain but I prefer to permit outgoing session based on what is needed , block the rest, and always block smtp for all but the mail server. 
With the icmp command you can permit/deny based on type and ip address and you can use ids to permit deny signatures , for example icmp large packet, but you can't configure the limits in the signatures, at least I haven't found a way to with pix
All the supported IDS signatures are listed in the pix system log messages

Hope this helps
Brian

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Chuck
Sent: martedì 14 dicembre 2004 13.58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Pix hardening

Anyone,
 
    I'm interested in what people are doing to harden PIX installs.
I've got a 506 running 6.3.4.  I'm not finding many recommendations on the 'net for the Pix, unlike IOS.  What I've got so far is:
 
SSH and HTTPS (both 3DES) only allowed from a couple outside networks/hosts
 
Telnet not allowed from anywhere
 
No VPN support configured anywhere
 
1 NTP server configured on the outside - not using authentication (yet)
 
Bogon sources filtered via outside ACL, only the 5 services to the various inside hosts and ICMP (echo-reply,time-exceeded,unreachable) are allowed in.  No logging of the ACLs configured.  I find it odd that some ICMP types (like packet-too-big) aren't configurable in PIX...
 
Bogon destinations filtered via inside ACL, also blocking all outbound NetBIOS in case of internal worm infestation...
 
Unicast RPF checking on both inside and outside ints
 
Info and attack  alarming and dropping enabled for outside interface
 
All the default xlate and fixup settings are used
 
no ICMP services are enabled for the outside interface (meaning that I didn't turn any on, not sure if any are on by default that shouldn't)
 
Anything else that should be added or changed?
 
Thanks,

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team 1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D 

 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list