Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 396
  • Last Modified:

PIX Initial Setup

Hi,

We are going to setup a PIX 515E as our firewall. We have three interfaces, one internal, one DMZ,and one external. Where can I find information for initial setup and configuration?

Also, on our current firewall, Raptor 6.0 on NT box, we set rules for internal users to using different services, such as Telnet, FTP, etc. Currently, we put those users in a NT group, the firewall rule just allows only this group to use FTP, for example. Can I do the similar thing on PIX?

Another questions, we are running a content filtering software, Web Inspector from ELRON software, which basically filter out some sites so that you can't go there. Is there any similar software that can be integrated with firewall? Can PIX be configured to do the similar thing?

Thanks in advance.

Robert100
0
robert100
Asked:
robert100
  • 4
  • 3
  • 3
1 Solution
 
lrmooreCommented:
Initial setup:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafwcfg.htm

Yes, you can group users, but you would have to use a TACACS+ server to setup the rules/access
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/mngacl.htm

Yes, PIX integrates with WebSense:
The url-server command designates a server that runs Websense, a URL filtering application. Once you designate the server, enable the URL filtering service with the filter command.

http://www.websense.com

Free eval download...
0
 
robert100Author Commented:
Thanks for help.

Is there anything we can do to configure a similar, if not the same, settings without TACAS+ server?

Thanks

0
 
svindlerCommented:
You can use a Radius server to achieve the same thing. I guess, the Microsoft Radius server will suffice, but I haven't tested it.
You can avoid using a TACACS+ or RADIUS server and still do the same, if you can place the users in different ip ranges, and then create an access-list that allows different things for each range.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
lrmooreCommented:
Sorry, but there is no way around it with the PIX:
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.

0
 
svindlerCommented:
I want to explain the last part of my comment a bit.

In the PIX you can base authorisation on either ip addresses or an authentication server like radius or tacacs+.

If a radius or tacacs+ server is not an option, you are stuck on using ip addresses for authorisation.

If you still need authentication, you will have to install a mechanism to use ip addresses for authentication as well.

This can be done by splitting up your network and only allowing users physical access to those parts of the network that has specific access through the pix or, for individual authentication, you will have to configure fixed ip addresses for users and trust them not to change the addresses themselves.
0
 
robert100Author Commented:
Thanks very much for the help.

For RADIUS, Windows 2000 has support, Internet Authentication Services. Have any of you had use it? Any comments?

For URL content filtering, websence is very expensive, what about other software, like ELRON's web inspector, which is what we have. Do you have any experience using with any firewall, not limited to PIX?

Thank you.

Robert100
0
 
svindlerCommented:
For the RADIUS part, there is a document describing how to use IAS in a VPN setup, so my guess is that you will be able to use it.

With regards to ELRONs web inspector, I can't see anything in the online documentation that indicates that you will be able to use the url filter function in the PIX. As I understand it, Web Inspector is placed as a unit between the internet and your users as a sort of bridge, that inspects traffic and blocks the traffic when a rule is hit.
I can't see any reason why it wouldn't work as such with a PIX firewall in front of it, though.
0
 
lrmooreCommented:
You can use Microsoft's Radius in Windows 2000 instead of TACACS+. These detailed instructions are for setting them up to authenticate inbound users, but you can use the same basics for outbound when combined with the AAA instructions provided in my first post above.

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
0
 
robert100Author Commented:
Thanks.

What is the difference between RADIUS and TACACS+? Cisco document mentions TACACS+ more than RADIUS. Cisco ACS seems working with this situation, havw an idea how exensive it is?

Our major concern here is to monitor and control which internal group can use what type of services, such as FTP, NNTP, etc. Since we are a government agency, this is the policy. Restrict IP seems not work well since clients may move to other subnets (we ahve 6 subnets), all use DHCP. If Windows 2000 IAS can do the job, we will do that. Currently we have a NT 4.0 domain, can IAS run on Windows 2000 member server in NT domain, or ADS is required? We are planning to migrate to Windows 2000 ADS, but it won't happen overnight.

Thanks again

Robert 100
0
 
svindlerCommented:
RADIUS is udp based, TACACS+ is tcp based. In theory, this can make firewalling a TACACS+ more secure at the expense of performance.
In Radius, only the password is encrypted on the network. In Tacacs+, all data is encrypted.
Both Radius and Tacacs+ are good at authentication and accounting, but Tacacs+ is better at authorisation, where individual commands can be authorized when logged into Cisco equipment. This does not sound necessary in your setup.
Radius is used much more, and more implementations are available.

A comparison from Cisco: http://www.cisco.com/warp/public/480/10.html

IAS should be able to do the job. ADS is not necessary.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now