Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

securing PIX

Hi everybody,

Just to know if there's some basic tasks necessary to secure a PIX (like we can find on the document "securing routers") or all is OK by default ?

Is the option : access via telnet + tacacs enough secure or is there some potential "security holes"?

Thanks in advance


Re: securing PIX

One of my favorite things about a Pix is that it's as secure as it gets with a default config. Everything you do makes it less secure.

As with any system, you can use this equation:

telnet=big security hole

Telnet is in clear-text so it gives away your password and makes MITM attacks so easy.

Instead, you should use ssh or https to manage your firewall. Or even better, don't allow any access to the firewall and connect physically with the console cable. When allowing ssh/https access, allow the access from as few stations as possible.

TACACS+ is a double-edged sword. It can be used for good account policies like complexity, history, min. length, and lockouts. Those are all good things for securing access to the Pix. However, it's also a problem because few people bother to protect their TACACS server. It's not to hard to take advantage of a poorly configured MS machine so that I can add my own account for access to the firewall.

Also, make sure TACACS+ is upgraded to support HTTPS and make sure that only a few stations can access its admin console. Remove the auto-login feature of TACACS+ when accessing locally from the server.

Use layered security. Unless your PATing traffic to the external interface address of the Pix, use an ACL to deny all inbound to the Pixs interface. THe Interent doesn't have a reason to connect to your Pix. If it's terminating VPNS, only allow access to those few ports/protocols as necessary.

Hope this helps....


New Member

Re: securing PIX


Thanks a lot shannon.