I believe that add a PIX in front of MSP is a good approach. In my opinion
MSP is more of an internal access control tool and for blocking certain
undesired internal access to Internet. PIX will help you to block other
external traffic rather than desired ones.
However just add a firewall wouldn't fully secure your internal network. If
your LAN users visited a "wrong" web site that runs malicious code on their
PC, which happened numerously before, your PIX firewall is just a sitting
duck and will watch all those damages to happen in front of it... (Unless
you happened to know that web site address and blocked access to it
beforehand.)
Kind Regards,
Tony Zhu
WAN/LAN Communication Specialist
Unisys Payment Services Limited (UPSL)
ABN 70 008 408 231
ph:02 92098804
fax: 02 92098809
email: [EMAIL PROTECTED]
-----Original Message-----
From: Keith Townsend [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 11 July 2001 2:06 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX Recommendations !!! [7:11651]
I'm looking at a similar issue. The question is how do you go about
implementing the PIX without touching 1000 desktops and interrupting
business. I looked at this from a Boarder Manager perspective. Very
similar to Proxy but its a firewall as well. I would suggest you continue
to use the Proxy server as the default gate for your internal clients. Set
up access lists on the PIX to only accept connections from the proxy server
and any clients you are bypassing the Proxy. This should be pretty seemless
and still secure.
""Raees Ahmed Shaikh"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear all,
>
> Thanks for all the suggestions and explanations. The main core reason for
> asking for the recommendations was, that I was not really sure about the
> critical balance between security and usability. Everybody know about the
> MS-Proxy and its vulnerabilities and its openness to attacks. We bought
the
> PIX just to secure our network from all those unknown vulnerabilities, I
> personally thought PIX box would be a nice buy. since it is less prone and
> has some built-in functionality to prevent such vulnerabilities. The
> question which I face now is production change without interrupting the
> business, and change of activities to our end-user, meaning to say the
> end-users should not feel that something has changed. Moreover the
> integration of the PIX with the current NT security model, the URL
filtering
> option, and various DNS records modifications made me think to keep the
> proxy in its place and add the PIX as the first line of defense.
>
> Internet-----------Router-----------PIX---------------MSPROXY---------LAN
>
> A simple question which always comes to my mind concerning security is
that,
> if the internet users have sessions to our MSproxy server and internal
> network, Isn't our internal network still vulnerable to those attacks
which
> were their prior putting the PIX. We have enabled Winsock apps on the
proxy,
> and lot of apps are been used by our LAN users. Was that PIX, worth a buy.
> etc etc.
>
> Still not sure how the final design will look like. Just putting more
time
> and research onto it.
>
> Thanks and Regards,
>
> Shaikh Raees
>
> [GroupStudy.com removed an attachment of type image/jpeg which had a name
of
> Glacier Bkgrd.jpg]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11884&t=11651
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
