- Posts: 39
- Thank you received: 0
PIX and Router Security Questions
17 years 6 months ago #21607
by semper
James
www.securitygeek.net
Replied by semper on topic Re: PIX and Router Security Questions
The PIX (Pre 7.0 series code anyways) only supports access-lists on inbound traffic to an interface. However, if you want to filter what internal hosts can access on the outside then all you do is place an access-list on the inside interface and that serves the same purpose of using ingress/egress filtering.
For example: If I only wanted my internal hosts to be able to access websites on the Internet I would use the following access-lists.
access-list inside-outbound permit udp any any eq 53
access-list inside-outbound permit tcp any any eq www
access-list inside-outbound permit tcp any any eq https
access-group inside-outbound in interface inside
That access-list would allow DNS inquiries to external DNS servers (you wouldn't need to allow internal clients external dns access if you have a internal dns server though), allow http (port 80), https (port 443) traffic to the internet, and deny everything else from the internal network outbound.
Now if you had a DMZ interface, VPN tunnel(s) or had a large network and you needed certain hosts to have more/less access to external resources then that access-list would obviously get more complicated.
For example: If I only wanted my internal hosts to be able to access websites on the Internet I would use the following access-lists.
access-list inside-outbound permit udp any any eq 53
access-list inside-outbound permit tcp any any eq www
access-list inside-outbound permit tcp any any eq https
access-group inside-outbound in interface inside
That access-list would allow DNS inquiries to external DNS servers (you wouldn't need to allow internal clients external dns access if you have a internal dns server though), allow http (port 80), https (port 443) traffic to the internet, and deny everything else from the internal network outbound.
Now if you had a DMZ interface, VPN tunnel(s) or had a large network and you needed certain hosts to have more/less access to external resources then that access-list would obviously get more complicated.
James
www.securitygeek.net
17 years 6 months ago #21862
by ccnx
Thanks you guys for all the reply. The actual checking sequence as i found out from the cisco website is that
www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080133ddd.shtml
Also, ACL on PIX is uni-directional.
Replied by ccnx on topic Re: PIX and Router Security Questions
Thanks you guys for all the reply. The actual checking sequence as i found out from the cisco website is that
www.cisco.com/en/US/tech/tk648/tk361/tec...186a0080133ddd.shtml
Also, ACL on PIX is uni-directional.
17 years 6 months ago #21877
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: PIX and Router Security Questions
[code:1]Also, ACL on PIX is uni-directional.[/code:1]
Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.
Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 5 months ago #21899
by semper
Atleast on the pre 7.0 code you can not specify an outbound access-list on an interface, only inbound. However, you can filter outbound traffic by placing ingress access-lists on your inside interface.
For Example: If you want to only allow your internal network to only have http access you could do:
access-list inside_out permit tcp any any eq 80
access-group inside_out in interface inside
You can't specify something like "access-group inside_out out" like you can on a router. The PIX won't let you. Basically each interface can only have a single access-list attached to it and can only filter ingress.
If you want to play around with it I'll setup a test network at my house and give you remote telent access to a console port on a pix.
James
www.securitygeek.net
Replied by semper on topic Re: PIX and Router Security Questions
[code:1]Also, ACL on PIX is uni-directional.[/code:1]
Thought it was, its similar to a router and can assign a single access-list in and also a single access-list out, at the same time.
Atleast on the pre 7.0 code you can not specify an outbound access-list on an interface, only inbound. However, you can filter outbound traffic by placing ingress access-lists on your inside interface.
For Example: If you want to only allow your internal network to only have http access you could do:
access-list inside_out permit tcp any any eq 80
access-group inside_out in interface inside
You can't specify something like "access-group inside_out out" like you can on a router. The PIX won't let you. Basically each interface can only have a single access-list attached to it and can only filter ingress.
If you want to play around with it I'll setup a test network at my house and give you remote telent access to a console port on a pix.
James
www.securitygeek.net
17 years 5 months ago #21914
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: PIX and Router Security Questions
On version 7 of the code, you can apply an access-list to an interface for both in & out. I always thought that you could also do this in version 6 of the Pix Code. I will do some digging on that.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.128 seconds