Newbie question

Unanswered Question
Jun 25th, 2007
User Badges:

I manage a seried of Linux servers and we have has a number of successfull DOS attacks recently (SYN_FLOOD). The guys I co-locate with do not know enough about the CISCO equipment to configure measures against this.


Therefore they have given me the login to the Cisco PIX506E which is between me and the Internet.


Although I have read up how to configure things at the command line level I would like to use a GUI.


I tried to download management software from the Cisco website but I keep being blocked - therefore my question is (a) is this software free i.e. can I download it? (b) how do I get unblocked, (c) or where can I buy it if there is a pricing issue.


Also one other question : My office is on the outside of the firewall - is it possible (advisable) to enable the web software whcih I assume is built into the PIX for use from my location. All the documentation in the manuals referes to enabling the web interface towrds the "inside". I have other linux servers on the inside but I cannot get a browser to connect from ther without sitting in the server room.


I hope you can help me out


Jonathan Carter

Glimworm IT BV

Amsterdam


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Mon, 06/25/2007 - 06:11
User Badges:
  • Green, 3000 points or more

Jonathan,


The PIX 506E should already have PDM ( Pix Device manager ) in it, this will be your gui. There are few things

you need to configure in the PIX to allow http and telnet access.


These are the steps to accomplish this from the inside network:


Follow this link

http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm30CH4.html



before loadding the PDM via browser you need

to configure the PIX to allow http and telnet


eg.


Have someone console/telnet to the PIX.


http server enable

telnet 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 inside


load browser


https:\\PIX_Inside_Interface_IP



For accessing the pix from the outside you have couple of options:


1- Stablish a VPN session to access your network ( IPsec, PPTP etc.. )

you can then access the PIX through the tunnel.


http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml




or


2- Implement SSH to access the fireweall


go to this link and pick ssh explanation.


http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026535


syntax for ssh in firewall.


ssh "ip address allowed" "netmask" outside


To set up ssh you will need to make sure the pix has a hostname ad domain name.


then you need to generate rsa keys on the pix and then save them with the "ca save all" command. Just doing a wr mem will not save you rsa keys


here you will also need an SSH Client Software for the hostPC accessing the PIX.



If you need help in the initial implementation or either options let us know.



HTH




Jorge

jonathanrcarter Mon, 06/25/2007 - 07:03
User Badges:

Thanks - I think I can make a VPN actually so I will try that.


Another Question - in my SYN attacks basically the interface connected to the PIX became totally un-useable. At the same time if I ssh'd onto a 2nd interface (eth1) I could log in and perform linux commands. Although the system was a little slow (i.e. with the top command) it was not completely dead.


What I am thinking is that it was actually the PIX that was overloaded rather than the server. In that case will configuring a limit of 'opening connections' in the PIX help at all ? Alternatively are there other solutions open to me??


Jonathan Carter

Glimworm IT BV

JORGE RODRIGUEZ Mon, 06/25/2007 - 07:53
User Badges:
  • Green, 3000 points or more

you need to configured the pix for intrution detection policy, once you get the GUI running you will be able to work with IDS policy and IDS signatures for your interfaces including SYN attacks.



To see the load of the pix issues these commands :


show cpu usage, and show mem


these will sort of give you basic system

cpu utilization and installed memory, so you can start getting a base line of the pix hardware specs and its usage. I would recommend to look into the 506e product to get you aquainted with it.














Actions

This Discussion