Solved

PIX Initial Setup

Posted on 2002-04-10
10
387 Views
Last Modified: 2008-02-07
Hi,

We are going to setup a PIX 515E as our firewall. We have three interfaces, one internal, one DMZ,and one external. Where can I find information for initial setup and configuration?

Also, on our current firewall, Raptor 6.0 on NT box, we set rules for internal users to using different services, such as Telnet, FTP, etc. Currently, we put those users in a NT group, the firewall rule just allows only this group to use FTP, for example. Can I do the similar thing on PIX?

Another questions, we are running a content filtering software, Web Inspector from ELRON software, which basically filter out some sites so that you can't go there. Is there any similar software that can be integrated with firewall? Can PIX be configured to do the similar thing?

Thanks in advance.

Robert100
0
Comment
Question by:robert100
  • 4
  • 3
  • 3
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 6932588
Initial setup:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafwcfg.htm

Yes, you can group users, but you would have to use a TACACS+ server to setup the rules/access
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/mngacl.htm

Yes, PIX integrates with WebSense:
The url-server command designates a server that runs Websense, a URL filtering application. Once you designate the server, enable the URL filtering service with the filter command.

http://www.websense.com

Free eval download...
0
 

Author Comment

by:robert100
ID: 6942590
Thanks for help.

Is there anything we can do to configure a similar, if not the same, settings without TACAS+ server?

Thanks

0
 
LVL 4

Expert Comment

by:svindler
ID: 6951841
You can use a Radius server to achieve the same thing. I guess, the Microsoft Radius server will suffice, but I haven't tested it.
You can avoid using a TACACS+ or RADIUS server and still do the same, if you can place the users in different ip ranges, and then create an access-list that allows different things for each range.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6957274
Sorry, but there is no way around it with the PIX:
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.

0
 
LVL 4

Expert Comment

by:svindler
ID: 6959298
I want to explain the last part of my comment a bit.

In the PIX you can base authorisation on either ip addresses or an authentication server like radius or tacacs+.

If a radius or tacacs+ server is not an option, you are stuck on using ip addresses for authorisation.

If you still need authentication, you will have to install a mechanism to use ip addresses for authentication as well.

This can be done by splitting up your network and only allowing users physical access to those parts of the network that has specific access through the pix or, for individual authentication, you will have to configure fixed ip addresses for users and trust them not to change the addresses themselves.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:robert100
ID: 6961344
Thanks very much for the help.

For RADIUS, Windows 2000 has support, Internet Authentication Services. Have any of you had use it? Any comments?

For URL content filtering, websence is very expensive, what about other software, like ELRON's web inspector, which is what we have. Do you have any experience using with any firewall, not limited to PIX?

Thank you.

Robert100
0
 
LVL 4

Expert Comment

by:svindler
ID: 6964111
For the RADIUS part, there is a document describing how to use IAS in a VPN setup, so my guess is that you will be able to use it.

With regards to ELRONs web inspector, I can't see anything in the online documentation that indicates that you will be able to use the url filter function in the PIX. As I understand it, Web Inspector is placed as a unit between the internet and your users as a sort of bridge, that inspects traffic and blocks the traffic when a rule is hit.
I can't see any reason why it wouldn't work as such with a PIX firewall in front of it, though.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6982432
You can use Microsoft's Radius in Windows 2000 instead of TACACS+. These detailed instructions are for setting them up to authenticate inbound users, but you can use the same basics for outbound when combined with the AAA instructions provided in my first post above.

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
0
 

Author Comment

by:robert100
ID: 6987050
Thanks.

What is the difference between RADIUS and TACACS+? Cisco document mentions TACACS+ more than RADIUS. Cisco ACS seems working with this situation, havw an idea how exensive it is?

Our major concern here is to monitor and control which internal group can use what type of services, such as FTP, NNTP, etc. Since we are a government agency, this is the policy. Restrict IP seems not work well since clients may move to other subnets (we ahve 6 subnets), all use DHCP. If Windows 2000 IAS can do the job, we will do that. Currently we have a NT 4.0 domain, can IAS run on Windows 2000 member server in NT domain, or ADS is required? We are planning to migrate to Windows 2000 ADS, but it won't happen overnight.

Thanks again

Robert 100
0
 
LVL 4

Accepted Solution

by:
svindler earned 150 total points
ID: 6988317
RADIUS is udp based, TACACS+ is tcp based. In theory, this can make firewalling a TACACS+ more secure at the expense of performance.
In Radius, only the password is encrypted on the network. In Tacacs+, all data is encrypted.
Both Radius and Tacacs+ are good at authentication and accounting, but Tacacs+ is better at authorisation, where individual commands can be authorized when logged into Cisco equipment. This does not sound necessary in your setup.
Radius is used much more, and more implementations are available.

A comparison from Cisco: http://www.cisco.com/warp/public/480/10.html

IAS should be able to do the job. ADS is not necessary.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now