Cisco documentation shows the Concentrator sitting on the Internet side going around the Firewall and then connecting directly into the private network.
Is this a sound approach? Of course our Security person thinks it should go through two(2) firewalls. One between the internet and the public interface on the 3000 Conectrator, then one between the private and the internal network. Is this just way to much over kill?
I can almost understand the FW between the Internet and the public interface, let it deal with hack attempts, but the internal FW just seems overkill.
For my network I have a T1 coming into a 3640 router, coming out of the router into a 1548 MicroSwitch, then from the switch I have a connection to the Concentrator and another to a firewall. I feel middle of the road about the direct connection to the internet but not overly exposed. I am however adding an additional security measure that all users have a token for another level of authentication. Once I have this in place I will be somewhat content as you should never stop thinking about improving security. You have to temper budget with needs and arrive at a level of protection that your pencil pushers and you feel ok with. I have found a properly configured router will do a lot to keep out hackers, then the firewall and concentrator do their part as well. Keep in mind that on the Concentrator users will need to have the group name and password as well as their network password to auuthenticate.
The switch is just a switch as far as I know but may have some port bloacking abilities like the 3600's. I think the Cisco diagram is fairly sound. The tokens we are using are the digipass from www.vasco.com. Choose them over RSA because they have a software token that works on the PocketPC. My users have wireless VPN access through Pocket PC's and balk at carrying addition equipment. They have to now remember 2 passwords instead of one so if the device gets stolen no one can get in. Just like the hardware token but nothing more to carry around. I just got in Cisco ACS 2.6 and found out that it won't work with w2k Svc Pack 2, only Pack 1. I ust spent all night upgrading our domain from NT 4 to 2000. Version 3 of ACS will support Svc Pack 2 though but it wont be out till November. Good luck and keep it safe!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...