Solved: Is this PIX secure

rm760 · ‎04-06-2010

I was wondering if this configuration is as secure as it can be, or is there anything else that could be done to harden the configuration.

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ??????????? encrypted
passwd ??????????? encrypted
hostname XYZ.com
domain-name rm760.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
object-group service allowed_ports tcp
port-object range 7770 7782
access-list out2in permit icmp any any echo-reply
access-list out2in permit icmp any any time-exceeded
access-list out2in permit tcp any any object-group allowed_ports
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered debugging
logging history warnings
logging facility 18
icmp deny any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.128.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action drop
ip audit attack action drop
pdm location 192.168.128.1 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 7782 192.168.128.22 7782 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7779 192.168.128.19 7779 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7778 192.168.128.18 7778 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7776 192.168.128.16 7776 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7775 192.168.128.15 7775 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7774 192.168.128.14 7774 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7773 192.168.128.13 7773 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7772 192.168.128.12 7772 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7770 192.168.128.10 7770 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7780 192.168.128.20 7780 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7781 192.168.128.21 7781 netmask 255.255.255.255 0 0
access-group out2in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 209.81.9.7 source outside
ntp server 204.152.184.72 source outside
snmp-server location garage
snmp-server contact hounds
snmp-server community public
no snmp-server enable traps
floodguard enable
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 60
console timeout 10
dhcpd address 192.168.128.100-192.168.128.125 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd enable inside
username XXXXXXXXX password ?????????? encrypted privilege 15
terminal width 80
banner exec UNAUTHORIZED ACCESS WILL BE PROSECUTED
banner login UNAUTHORIZED ACCESS WILL BE PROSECUTED
banner motd UNAUTHORIZED ACCESS WILL BE PROSECUTED
: end

Federico Coto Fajardo · ‎04-06-2010

To get an idea you can do a show access-list to see how many hitcounts you get on each port for each
IP camera.
This will give you a baseline to see the normal behavior of the cameras in terms of connections.

Also, the access-list can have the ''log'' keyword at the end of the line, to generate a log message
everytime that it hits the line. You can then check the logs to see more information.

Federico.

View solution in original post

Federico Coto Fajardo · ‎04-06-2010

Hi,

The configuration seems secure in terms that you're only allowing inbound access on the defined ports.

Now, there are other features not in used like authentication, VPN, maximum allowed connections on the static NAT statements, etc.

But it all depends on your scenario.

Is kind of a very general question difficult to provide an exact answer.

Federico.

rm760 · ‎04-06-2010

Let me rephrase the question. Based upon the config I uploaded and the inbound port requirements. Is there aything that can be done to make this more secure or have I done everything possible with a PIX 501 and version 6.3.5 code?

Federico Coto Fajardo · ‎04-06-2010

Like I've said. The PIX configuration is secured in terms of ACLs.

Now, enabling authentication will add another level of protection.

Setting limits on the amount of connections to the servers add another level of protection.

So, if you want a yes or no answer, I will say yes it is secure.

But again, there are other ways to enhance the security.

Federico.

rm760 · ‎04-06-2010

Federico;

I would appreciate it if you would enlighten me as to how to implement rate limiting into my configuration. Will rate limiting have any adverse effects on the internal clients access to the Internet?

Federico Coto Fajardo · ‎04-06-2010

Taking as an example the first static NAT:

static (inside,outside) tcp interface 7782 192.168.128.22 7782 netmask 255.255.255.255 0 0

There's no limit defined for the connections.

The first 0 could be changed:

<0-65535>    The maximum number of simultaneous tcp connections the local IP
               hosts are to allow, default is 0 which means unlimited
               connections. Idle connections are closed after the time
               specified by the timeout conn command

The second 0 could be changed:

<0-65535> The maximum number of embryonic connections per host

Embyonic connections are connections that have not yet completed the three-way TCP handshake and can be part of an attack.

Federico.

rm760 · ‎04-06-2010

The devices are IP cameras. Based upon this do you or anyone else have any recommendations as to the rate limiting variables to implement? Or a baseline to start testing at?

Federico Coto Fajardo · ‎04-06-2010

To get an idea you can do a show access-list to see how many hitcounts you get on each port for each
IP camera.
This will give you a baseline to see the normal behavior of the cameras in terms of connections.

Also, the access-list can have the ''log'' keyword at the end of the line, to generate a log message
everytime that it hits the line. You can then check the logs to see more information.

Federico.

rm760 · ‎04-06-2010

I added log to the end as you recommended. I wll monitor this for a few days to create a baselne and then make so trial and error changes to see what works.