Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 4

SNMP Commands
You add SNMP to the PIX because you want to be informed when errors occur. You can browse the System and Interface groups of MIB-II. All SNMP values within the PIX Firewall are read-only (RO) and do not support browsing (SNMPget or SNMPwalk) of the Cisco syslog Management Information Base (MIB). Traps are sent to the SNMP server. In other words, SNMP can be used to monitor the PIX but not for configuring the PIX. The syntax for the commands is essentially the same as when working on a Cisco router. The following lines set the community string, the location, the contact, and the interface and IP address of the SNMP server. Because you have specified inside on the snmp-server host command, the PIX knows which interface to send SNMP traps out without the need for a specific route to this host.

 snmp-server community ourbigcompany
 snmp-server location Seattle
 snmp-server contact Mark Newcomb Andrew Mason
 snmp-server host inside 10.1.1.74

logging Commands
The following logging commands allow you to use a syslog server for recording events. These commands are similar to those used on a Cisco router. The logging on command is used to specify that logging will occur. The logging host command is what actually starts the logging process on the host at 10.1.1.50. The logging trap command sets the level of logging to be recorded, which is all events with a level of 7. Finally, the no logging console command is used to prevent the log messages from appearing on the console. For this to work, the PIX must know how to find the host at 10.1.1.50. Ensure that a route to this host exists.

 logging on
 logging host 10.1.1.50
 logging trap 7
 logging facility 20
 no logging console

telnet Command
You added three lines to allow access to the PIX Firewall through Telnet in addition to the console port access. This is a major convenience and a major security risk. There are three reasons that we consider Telnet access a risk. The first is that Telnet limits access based on the IP address. It is very easy for a user to change the IP address on a computer, especially if the user is using an operating system such as Windows 95. This allows the possibility of a user gaining access where the user should not be able to gain access. The second concern regarding security is that, as hard as you may try to prevent it, you cannot always be sure that a user walking away from a desk will lock the terminal. Password-protected screensavers help minimize the issue, but they cannot completely resolve it. Because the PIX forms the corporations major defense from outside intrusion, it is critical that access is limited as much as possible. The third concern regarding Telnet access is a misunderstanding on how it should be configured. This third issue is covered in this section, after examining the commands entered.

 telnet 10.1.1.14 255.255.255.255
 telnet 10.1.1.19 255.255.255.255
 telnet 10.1.1.212 255.255.255.255

In the preceding lines, you specified a subnet mask of 32 bits for each of these IP addresses. Entering 255.255.255.255 is optional, because an IP address without a subnet mask is assumed to have a 32-bit mask associated with that address. The subnet mask used on the telnet command is the mask for those who should have access to the PIX, not the subnet mask for the network. Approximately 50 percent of the PIX Firewalls the authors of this book have examined have been incorrectly configured with the subnet mask of the LAN. In these cases, any user on the LAN can Telnet to the PIX Firewall. If one of these users is able to guess the password, the user can control the PIX. In the configuration section Dual DMZ with AAA Authentication later in this chapter, you will see how to use authentication, authorization, and accounting (AAA) services to ensure that unauthorized users cannot Telnet to the PIX Firewall.