Best Way to protect our lan

Posted on 2009-04-07
Last Modified: 2013-11-05
Hi experts,
Im using 5505 asa cisco pix firewall, and it is well configured, but also Im using VNC as remote desktop application and it is using by default the port 5900 to access my computers from external via internet over the real IPs.
So Ive been attacked till now 3 times on this port so I changed the port, and they attacked the VNC software even that it is protected by a password.

Is there any other way to protect my Lan from the external attack (software or hardware) and is there any software or hardware that monitor the traffic on the lan and the wan and between then (I know that we can monitor on cisco pix firewall but I need a more efficient monitoring tool)
P.S:  I dont want to use ISA server as back end protection

Thank you.
Question by:LeDaouk
  • 3
  • 2
  • 2

Accepted Solution

cmorffew earned 125 total points
ID: 24088909
I personally wouldnt use VNC for external-to-internal connections.

Why dont you configure for VPN on your PIX and VPN into the network and then run your VNC to connect  to the computers one you hav ethe VPN connection established?  This is what  i do and even use RDP once i have VPN'ed into the network to connect to my servers.

Assisted Solution

ricks_v earned 125 total points
ID: 24103028
since you are VNCing to internet address, I believe you only vnc to a single host in the LAN.

cmorffew idea is the safest option, this way you can also vnc to many hosts behind the LAN, once you are connected via remote access or lan 2 l an vpn.

another option would be using ultra vnc, but that involves DC server to configure as client do not keep password in this scenario.

the simplest option would be putting ACL on the pix, to allow only certain internet address go vnc to client behind pix. Use single source and destination ip incoming only.
This way no one else apart from you can vnc , thus no more password cracking by hacker as they can't even connect at all now


Author Comment

ID: 24105840
Thanks cmorffew and ricks_v for your comments, so nice.
but I'm not intersted only for the remote connection my first target is how to protect more my lan from attackers, do I have to use something else the pix firewall or other monitoring tolls, or what I have to do more to protect it in the most secured and profesional way, is there a new technology of security etc ...
Thanks anyway
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.


Expert Comment

ID: 24106371
You mentioned that the attackers are aiming at your VNC software only or is there more?
It sounds like your Firewall is doing its job if the only thing that is being targeted is VNC.

Your LAN sounds fine - you have basically opened the front door on port 5900(or whatever port you now have for VNC) so any one with VNC on the internet will sniff around to find a VNC port and then try and connect.

ricks_v is correct, the best option for you to secure the whole thing will be to only allow specific IP address's to connect to your VNC port on the PIX.  This way all those people trying to hack into your LAN via VNC will be denied because they are not on the approved IP list.

If you open a port on your firewall you have to expect someone to try and come in, its the same with email - port 25 and other ports, 443,80 etc are all open to the internet, but its the acl that specifies who can use them.  As long as the firewall is stopping them at the perimeter, then is it working and you are protected.

The weakest link on any LAN is the internet facing device, in your case the 5505 asa cisco pix firewall, which you have said is well configured.

Author Comment

ID: 24113918
ok. then is there any tool to monitor trafic on fire wall in details?

Expert Comment

ID: 24124426
You can monitor the router logs using sys logger(something like Kiwi syslogger).  OR configure something as your snmp server to receive the snmp alerts from your firewall , router,switches anything that can send snmp info.

This would give you plenty of information on your network.

Expert Comment

ID: 24134403
agree, run a pc as syslog server, that way you can always come back and see what connections are being allowed and denied.

the pix itself has a limited memory to hold the logging, I assume 1 day logging max depending on how many in/outgoing connections.

here's some link on how to configure syslog server on PIX:

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now