Re: PIX Recommendations !!! [7:11651]
'filter activex' helps alot in malicious code by blocking it at the PIX. A good antivirus helps too as long as it's kept updated on all machines. Allen - Original Message - From: "Tony Zhu" To: Sent: Wednesday, July 11, 2001 12:05 AM Subject: RE: PIX Recommendations !!! [7:11651] > I believe that add a PIX in front of MSP is a good approach. In my opinion > MSP is more of an internal access control tool and for blocking certain > undesired internal access to Internet. PIX will help you to block other > external traffic rather than desired ones. > > However just add a firewall wouldn't fully secure your internal network. If > your LAN users visited a "wrong" web site that runs malicious code on their > PC, which happened numerously before, your PIX firewall is just a sitting > duck and will watch all those damages to happen in front of it... (Unless > you happened to know that web site address and blocked access to it > beforehand.) > > Kind Regards, > > Tony Zhu > WAN/LAN Communication Specialist > Unisys Payment Services Limited (UPSL) > ABN 70 008 408 231 > ph:02 92098804 > fax: 02 92098809 > email: [EMAIL PROTECTED] > > > -Original Message- > From: Keith Townsend [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 11 July 2001 2:06 PM > To: [EMAIL PROTECTED] > Subject: Re: PIX Recommendations !!! [7:11651] > > > I'm looking at a similar issue. The question is how do you go about > implementing the PIX without touching 1000 desktops and interrupting > business. I looked at this from a Boarder Manager perspective. Very > similar to Proxy but its a firewall as well. I would suggest you continue > to use the Proxy server as the default gate for your internal clients. Set > up access lists on the PIX to only accept connections from the proxy server > and any clients you are bypassing the Proxy. This should be pretty seemless > and still secure. > > ""Raees Ahmed Shaikh"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Dear all, > > > > Thanks for all the suggestions and explanations. The main core reason for > > asking for the recommendations was, that I was not really sure about the > > critical balance between security and usability. Everybody know about the > > MS-Proxy and its vulnerabilities and its openness to attacks. We bought > the > > PIX just to secure our network from all those unknown vulnerabilities, I > > personally thought PIX box would be a nice buy. since it is less prone and > > has some built-in functionality to prevent such vulnerabilities. The > > question which I face now is production change without interrupting the > > business, and change of activities to our end-user, meaning to say the > > end-users should not feel that something has changed. Moreover the > > integration of the PIX with the current NT security model, the URL > filtering > > option, and various DNS records modifications made me think to keep the > > proxy in its place and add the PIX as the first line of defense. > > > > Internet---Router---PIX---MSPROXY-LAN > > > > A simple question which always comes to my mind concerning security is > that, > > if the internet users have sessions to our MSproxy server and internal > > network, Isn't our internal network still vulnerable to those attacks > which > > were their prior putting the PIX. We have enabled Winsock apps on the > proxy, > > and lot of apps are been used by our LAN users. Was that PIX, worth a buy. > > etc etc. > > > > Still not sure how the final design will look like. Just putting more > time > > and research onto it. > > > > Thanks and Regards, > > > > Shaikh Raees > > > > [GroupStudy.com removed an attachment of type image/jpeg which had a name > of > > Glacier Bkgrd.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11946&t=11651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Recommendations !!! [7:11651]
I believe that add a PIX in front of MSP is a good approach. In my opinion MSP is more of an internal access control tool and for blocking certain undesired internal access to Internet. PIX will help you to block other external traffic rather than desired ones. However just add a firewall wouldn't fully secure your internal network. If your LAN users visited a "wrong" web site that runs malicious code on their PC, which happened numerously before, your PIX firewall is just a sitting duck and will watch all those damages to happen in front of it... (Unless you happened to know that web site address and blocked access to it beforehand.) Kind Regards, Tony Zhu WAN/LAN Communication Specialist Unisys Payment Services Limited (UPSL) ABN 70 008 408 231 ph:02 92098804 fax: 02 92098809 email: [EMAIL PROTECTED] -Original Message- From: Keith Townsend [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 11 July 2001 2:06 PM To: [EMAIL PROTECTED] Subject: Re: PIX Recommendations !!! [7:11651] I'm looking at a similar issue. The question is how do you go about implementing the PIX without touching 1000 desktops and interrupting business. I looked at this from a Boarder Manager perspective. Very similar to Proxy but its a firewall as well. I would suggest you continue to use the Proxy server as the default gate for your internal clients. Set up access lists on the PIX to only accept connections from the proxy server and any clients you are bypassing the Proxy. This should be pretty seemless and still secure. ""Raees Ahmed Shaikh"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear all, > > Thanks for all the suggestions and explanations. The main core reason for > asking for the recommendations was, that I was not really sure about the > critical balance between security and usability. Everybody know about the > MS-Proxy and its vulnerabilities and its openness to attacks. We bought the > PIX just to secure our network from all those unknown vulnerabilities, I > personally thought PIX box would be a nice buy. since it is less prone and > has some built-in functionality to prevent such vulnerabilities. The > question which I face now is production change without interrupting the > business, and change of activities to our end-user, meaning to say the > end-users should not feel that something has changed. Moreover the > integration of the PIX with the current NT security model, the URL filtering > option, and various DNS records modifications made me think to keep the > proxy in its place and add the PIX as the first line of defense. > > Internet---Router---PIX---MSPROXY-LAN > > A simple question which always comes to my mind concerning security is that, > if the internet users have sessions to our MSproxy server and internal > network, Isn't our internal network still vulnerable to those attacks which > were their prior putting the PIX. We have enabled Winsock apps on the proxy, > and lot of apps are been used by our LAN users. Was that PIX, worth a buy. > etc etc. > > Still not sure how the final design will look like. Just putting more time > and research onto it. > > Thanks and Regards, > > Shaikh Raees > > [GroupStudy.com removed an attachment of type image/jpeg which had a name of > Glacier Bkgrd.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11884&t=11651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Recommendations !!! [7:11651]
I'm looking at a similar issue. The question is how do you go about implementing the PIX without touching 1000 desktops and interrupting business. I looked at this from a Boarder Manager perspective. Very similar to Proxy but its a firewall as well. I would suggest you continue to use the Proxy server as the default gate for your internal clients. Set up access lists on the PIX to only accept connections from the proxy server and any clients you are bypassing the Proxy. This should be pretty seemless and still secure. ""Raees Ahmed Shaikh"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear all, > > Thanks for all the suggestions and explanations. The main core reason for > asking for the recommendations was, that I was not really sure about the > critical balance between security and usability. Everybody know about the > MS-Proxy and its vulnerabilities and its openness to attacks. We bought the > PIX just to secure our network from all those unknown vulnerabilities, I > personally thought PIX box would be a nice buy. since it is less prone and > has some built-in functionality to prevent such vulnerabilities. The > question which I face now is production change without interrupting the > business, and change of activities to our end-user, meaning to say the > end-users should not feel that something has changed. Moreover the > integration of the PIX with the current NT security model, the URL filtering > option, and various DNS records modifications made me think to keep the > proxy in its place and add the PIX as the first line of defense. > > Internet---Router---PIX---MSPROXY-LAN > > A simple question which always comes to my mind concerning security is that, > if the internet users have sessions to our MSproxy server and internal > network, Isn't our internal network still vulnerable to those attacks which > were their prior putting the PIX. We have enabled Winsock apps on the proxy, > and lot of apps are been used by our LAN users. Was that PIX, worth a buy. > etc etc. > > Still not sure how the final design will look like. Just putting more time > and research onto it. > > Thanks and Regards, > > Shaikh Raees > > [GroupStudy.com removed an attachment of type image/jpeg which had a name of > Glacier Bkgrd.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11874&t=11651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Recommendations !!! [7:11651]
Don't know if this was answered for you yet or not but here's my 2 cents. (yeah I"m donating back to the pool since I couldn't collect). You can leave the proxy in place and protect it with the PIX but you're leaving a point of failure for web access. Yes there are always points of failure but why have 2? I would enable NAT or PAT on the PIX. For filtering and monitoring you might want to look into the Websense product that the PIX works hand-in-hand with. Will the default gateway change for users or is it pointed at another device that can forward the default route towards the PIX? If it changes you'll need to release/renew all IP leases after changing the DHCP scope. Is there a proxy client on each machine or is it just enabled to auto-detect in the browser? Proxy client..eww. Auto-detect...no problem. And trust me...PIX is much less vulnerable than MSProxy. I'm no MSProxy expert so this may be wrong..but I would think it needs quite a few ports opened to it if behind a firewall. I have no idea if any of the required ports are exploitable but I'm sure you could find the list on MS TechConnect. Allen - Original Message - From: "Raees Ahmed Shaikh" To: Sent: Tuesday, July 10, 2001 1:07 AM Subject: PIX Recommendations !!! [7:11651] > Dear all, > > Thanks for all the suggestions and explanations. The main core reason for > asking for the recommendations was, that I was not really sure about the > critical balance between security and usability. Everybody know about the > MS-Proxy and its vulnerabilities and its openness to attacks. We bought the > PIX just to secure our network from all those unknown vulnerabilities, I > personally thought PIX box would be a nice buy. since it is less prone and > has some built-in functionality to prevent such vulnerabilities. The > question which I face now is production change without interrupting the > business, and change of activities to our end-user, meaning to say the > end-users should not feel that something has changed. Moreover the > integration of the PIX with the current NT security model, the URL filtering > option, and various DNS records modifications made me think to keep the > proxy in its place and add the PIX as the first line of defense. > > Internet---Router---PIX---MSPROXY-LAN > > A simple question which always comes to my mind concerning security is that, > if the internet users have sessions to our MSproxy server and internal > network, Isn't our internal network still vulnerable to those attacks which > were their prior putting the PIX. We have enabled Winsock apps on the proxy, > and lot of apps are been used by our LAN users. Was that PIX, worth a buy. > etc etc. > > Still not sure how the final design will look like. Just putting more time > and research onto it. > > Thanks and Regards, > > Shaikh Raees > > [GroupStudy.com removed an attachment of type image/jpeg which had a name of > Glacier Bkgrd.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11711&t=11651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Recommendations !!! [7:11651]
Dear all, Thanks for all the suggestions and explanations. The main core reason for asking for the recommendations was, that I was not really sure about the critical balance between security and usability. Everybody know about the MS-Proxy and its vulnerabilities and its openness to attacks. We bought the PIX just to secure our network from all those unknown vulnerabilities, I personally thought PIX box would be a nice buy. since it is less prone and has some built-in functionality to prevent such vulnerabilities. The question which I face now is production change without interrupting the business, and change of activities to our end-user, meaning to say the end-users should not feel that something has changed. Moreover the integration of the PIX with the current NT security model, the URL filtering option, and various DNS records modifications made me think to keep the proxy in its place and add the PIX as the first line of defense. Internet---Router---PIX---MSPROXY-LAN A simple question which always comes to my mind concerning security is that, if the internet users have sessions to our MSproxy server and internal network, Isn't our internal network still vulnerable to those attacks which were their prior putting the PIX. We have enabled Winsock apps on the proxy, and lot of apps are been used by our LAN users. Was that PIX, worth a buy. etc etc. Still not sure how the final design will look like. Just putting more time and research onto it. Thanks and Regards, Shaikh Raees [GroupStudy.com removed an attachment of type image/jpeg which had a name of Glacier Bkgrd.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11651&t=11651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
