Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 4
SNMP Commands
You add SNMP to the PIX because you want to be informed when errors occur. You can
browse the System and Interface groups of MIB-II. All SNMP values within the PIX
Firewall are read-only (RO) and do not support browsing (SNMPget or SNMPwalk) of the
Cisco syslog Management Information Base (MIB). Traps are sent to the SNMP server. In
other words, SNMP can be used to monitor the PIX but not for configuring the PIX. The
syntax for the commands is essentially the same as when working on a Cisco router. The
following lines set the community string, the location, the contact, and the interface and IP
address of the SNMP server. Because you have specified inside on the snmp-server host
command, the PIX knows which interface to send SNMP traps out without the need for a
specific route to this host.
snmp-server community ourbigcompany snmp-server location Seattle snmp-server contact Mark Newcomb Andrew Mason snmp-server host inside 10.1.1.74
logging Commands
The following logging commands allow you to use a syslog server for recording events.
These commands are similar to those used on a Cisco router. The logging on command is
used to specify that logging will occur. The logging host command is what actually starts
the logging process on the host at 10.1.1.50. The logging trap command sets the level of
logging to be recorded, which is all events with a level of 7. Finally, the no logging console
command is used to prevent the log messages from appearing on the console. For this to
work, the PIX must know how to find the host at 10.1.1.50. Ensure that a route to this host
exists.
logging on logging host 10.1.1.50 logging trap 7 logging facility 20 no logging console
telnet Command
You added three lines to allow access to the PIX Firewall through Telnet in addition to the
console port access. This is a major convenience and a major security risk. There are three
reasons that we consider Telnet access a risk. The first is that Telnet limits access based on
the IP address. It is very easy for a user to change the IP address on a computer, especially
if the user is using an operating system such as Windows 95. This allows the possibility of
a user gaining access where the user should not be able to gain access. The second concern
regarding security is that, as hard as you may try to prevent it, you cannot always be sure
that a user walking away from a desk will lock the terminal. Password-protected
screensavers help minimize the issue, but they cannot completely resolve it. Because the
PIX forms the corporations major defense from outside intrusion, it is critical that access
is limited as much as possible. The third concern regarding Telnet access is a
misunderstanding on how it should be configured. This third issue is covered in this section,
after examining the commands entered.
telnet 10.1.1.14 255.255.255.255 telnet 10.1.1.19 255.255.255.255 telnet 10.1.1.212 255.255.255.255In the preceding lines, you specified a subnet mask of 32 bits for each of these IP addresses. Entering 255.255.255.255 is optional, because an IP address without a subnet mask is assumed to have a 32-bit mask associated with that address. The subnet mask used on the telnet command is the mask for those who should have access to the PIX, not the subnet mask for the network. Approximately 50 percent of the PIX Firewalls the authors of this book have examined have been incorrectly configured with the subnet mask of the LAN. In these cases, any user on the LAN can Telnet to the PIX Firewall. If one of these users is able to guess the password, the user can control the PIX. In the configuration section Dual DMZ with AAA Authentication later in this chapter, you will see how to use authentication, authorization, and accounting (AAA) services to ensure that unauthorized users cannot Telnet to the PIX Firewall.
- « Previous Page
- 1
- 2
- 3
- 4
- 5
- 6
- Next Page »