One of my favorite things about a Pix is that it's as secure as it gets with a default config. Everything you do makes it less secure.
As with any system, you can use this equation:
telnet=big security hole
Telnet is in clear-text so it gives away your password and makes MITM attacks so easy.
Instead, you should use ssh or https to manage your firewall. Or even better, don't allow any access to the firewall and connect physically with the console cable. When allowing ssh/https access, allow the access from as few stations as possible.
TACACS+ is a double-edged sword. It can be used for good account policies like complexity, history, min. length, and lockouts. Those are all good things for securing access to the Pix. However, it's also a problem because few people bother to protect their TACACS server. It's not to hard to take advantage of a poorly configured MS machine so that I can add my own account for access to the firewall.
Also, make sure TACACS+ is upgraded to support HTTPS and make sure that only a few stations can access its admin console. Remove the auto-login feature of TACACS+ when accessing locally from the server.
Use layered security. Unless your PATing traffic to the external interface address of the Pix, use an ACL to deny all inbound to the Pixs interface. THe Interent doesn't have a reason to connect to your Pix. If it's terminating VPNS, only allow access to those few ports/protocols as necessary.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...