PIX 506E as a router
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Jason Dill on May 1, 2008, 4:39 pm
Please log in for more thread options I've searched and I just have not found a simple answer to this question: Is the PIX safe to use as a router? Let me explain the small network I have before I'm told "The PIX is not a router" I have 20 users behind the PIX. Everything is working great. I just need the PIX to block all incoming from the WAN and only allow the outgoing ports I have defined. That's it, nothing else. So is it safe to use it as a simple router? I've followed three guides on locking it down and I feel that it's secure but I just want someone to tell me "Hey Jason, it sounds like your okay to use it in the way you have it setup" Thanks | |||||||||||||||||||||||||
|
Posted by artie lange on May 1, 2008, 5:11 pm
Please log in for more thread options Depends on what is being handed off to you, an ethernet connection will work, a T1 line will not. | |||||||||||||||||||||||||
|
Posted by News Reader on May 1, 2008, 5:21 pm
Please log in for more thread options Jason Dill wrote:
> Hello,
> > I've searched and I just have not found a simple answer to this > question: > > Is the PIX safe to use as a router? > > Let me explain the small network I have before I'm told "The PIX is > not a router" > > I have 20 users behind the PIX. Everything is working great. I just > need the PIX to block all incoming from the WAN and only allow the > outgoing ports I have defined. That's it, nothing else. So is it safe > to use it as a simple router? I've followed three guides on locking it > down and I feel that it's secure but I just want someone to tell me > "Hey Jason, it sounds like your okay to use it in the way you have it > setup" > > Thanks Sounds like you require a firewall more than a router, since you've not indicated any requirement for dynamic routing protocols. Your primary question was - "is it safe". The PIX is a security device, and it is used by many in this capacity every day. You like it, you're familiar with it, it works, and you've taken some initiative to secure it. As long as you feel it provides enough flexibility for future changes in infrastructure, use it. The administrator's initiative and competence in securing the device and the network it protects, is often more relevant than the choice of device (given reasonable limits of course). I'm sure you'll hear other opinions shortly. ;>)
Best Regards, News Reader | |||||||||||||||||||||||||
|
Posted by Walter Roberson on May 1, 2008, 5:56 pm
Please log in for more thread options
>I've searched and I just have not found a simple answer to this
>question: >Is the PIX safe to use as a router?
No. >Let me explain the small network I have before I'm told "The PIX is
>not a router" >I have 20 users behind the PIX. Everything is working great. I just
>need the PIX to block all incoming from the WAN and only allow the >outgoing ports I have defined. That's it, nothing else. So is it safe >to use it as a simple router? No. You cannot configure the PIX as described, except by physically cutting some wires. Configuring it as described would be of little value anyhow, as you *need* the responses coming from the WAN unless all you have is some unicast (e.g., UDP) traffic that never needs even a single packet of response. What most people find of value is to configure the PIX to allow incoming packets that are responses to outgoing packets (a different situation than blocking all incoming from the WAN.) PIX 506E do -fairly- well in such configurations, but since PIX 7 is not officially supported on PIX 506E models, you are limited to the facilities in PIX 6.5, which is a little weak (from a human point of view) in determining which ICMP packets are really responses to something that was outgoing, vs unsolicitate ICMP packets that you would want to discard. A substantial difficulty in this matter is that several types of ICMP packets are inherently "unsolicited" but of major importance, such as ICMP "network unreachable" packets, which can come from -any- machine along the line. PIX 7 does a bit better in making these determinations (which are not easy to mechanically make.) However, configuring a PIX to use as a router would mean that you want to turn off all intelligence about whether any particular packet was solicited or unsolicited and instead just pass packets through (possibly translating addresses along the way.) That's what a router *does*, passes packets from source to destination without context of whether it is the "right" packet for the situation. A router does not, for example, care what the PORT number was on the outgoing FTP GET request: it just sees that a connection request is coming in for a particular TCP port and IP, and it passes the connection request to the destination, not caring whether the IP addresses of the incoming request is the "expected" IP address (and there are some legitimate cases where they would differ, which a router handles fine but a PIX needs dangerous pre-configuration to handle.) A PIX is a firewall. A firewall -is- a layer 3 device, in that it joins multiple layer 2 domains, but a PIX does too much filtering that cannot be turned off for it to be considered a "router". For example, if you *want* 1500 byte ICMP Echo packets to get through, then you cannot do it in PIX 6.2 or 6.3: they are hard-coded to block large ICMP packets. A *router* wouldn't care and would just pass the packets through. So, No, a PIX 506E cannot safely be used as a router. It -can- (relatively) safely be used as a layer 3 firewall. It isn't perfect as a firewall, but it is quite good. | |||||||||||||||||||||||||
|
Posted by News Reader on May 1, 2008, 7:08 pm
Please log in for more thread options Walter Roberson wrote:
>
>> I've searched and I just have not found a simple answer to this
>> question: >
>> Is the PIX safe to use as a router?
>
> No. > > >> Let me explain the small network I have before I'm told "The PIX is
>> not a router" >
>> I have 20 users behind the PIX. Everything is working great. I just
>> need the PIX to block all incoming from the WAN and only allow the >> outgoing ports I have defined. That's it, nothing else. So is it safe >> to use it as a simple router? >
> > No. Walter: I'm not challenging your facts, just the literal interpretation of his post. >
> You cannot configure the PIX as described, except by physically > cutting some wires. Configuring it as described would be of little > value anyhow, as you *need* the responses coming from the WAN unless > all you have is some unicast (e.g., UDP) traffic that never needs > even a single packet of response. Given that such a scenario "would be of little value", isn't it most likely that he meant that he wanted to block "connection initiation" from the WAN, and that his choice of wording didn't meet with your exacting expectations? >
> What most people find of value is to configure the PIX to allow > incoming packets that are responses to outgoing packets (a > different situation than blocking all incoming from the WAN.) > PIX 506E do -fairly- well in such configurations, but since PIX 7 > is not officially supported on PIX 506E models, you are limited > to the facilities in PIX 6.5, which is a little weak (from a > human point of view) in determining which ICMP packets are really > responses to something that was outgoing, vs unsolicitate ICMP packets > that you would want to discard. A substantial difficulty in this > matter is that several types of ICMP packets are inherently > "unsolicited" but of major importance, such as ICMP "network > unreachable" packets, which can come from -any- machine along the line. > PIX 7 does a bit better in making these determinations (which are not > easy to mechanically make.) > > > However, configuring a PIX to use as a router would mean that you > want to turn off all intelligence about whether any particular packet > was solicited or unsolicited and instead just pass packets through > (possibly translating addresses along the way.) That's what a router *does*, > passes packets from source to destination without context of whether > it is the "right" packet for the situation. A router does not, He's not mentioned any other device between the users and the WAN. Some would use a router with an integrated firewall. Is it not likely that he is trying to reconcile having been told that a router is what he's supposed to use, and other's telling him a PIX is not a router? Perhaps his real question is, if I'm implementing a single device between my users and the WAN, is a PIX suitable? Clearly, he's indicated the desire to control traffic at the edge, which is beyond the core functionality of a router, as you have so eloquently described. > for example, care what the PORT number was on the outgoing FTP GET
> request: it just sees that a connection request is coming in for > a particular TCP port and IP, and it passes the connection request > to the destination, not caring whether the IP addresses of the > incoming request is the "expected" IP address (and there are some > legitimate cases where they would differ, which a router handles > fine but a PIX needs dangerous pre-configuration to handle.) > > A PIX is a firewall. A firewall -is- a layer 3 device, > in that it joins multiple layer 2 domains, but a PIX does too much > filtering that cannot be turned off for it to be considered a "router". > > For example, if you *want* 1500 byte ICMP Echo packets to get through, > then you cannot do it in PIX 6.2 or 6.3: they are hard-coded to block > large ICMP packets. A *router* wouldn't care and would just pass > the packets through. > > > So, No, a PIX 506E cannot safely be used as a router. It -can- > (relatively) safely be used as a layer 3 firewall. It isn't > perfect as a firewall, but it is quite good. > Best Regards, News Reader | |||||||||||||||||||||||||
| Similar Threads | Posted |
| PIX 506E as a router | May 1, 2008, 4:39 pm |
| PIX 506E to 871 router VPN help needed | October 2, 2006, 2:09 pm |
| Linksys Router < -- > Cisco PIX 506e | September 22, 2005, 9:02 am |
| Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) | April 6, 2008, 3:39 pm |
| PIX OS 7 for 501 and/or 506E yet? | January 24, 2006, 8:15 am |
| PIX 506e | February 27, 2006, 9:43 pm |
| pix 506e | June 2, 2006, 11:46 am |
| PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT | August 22, 2006, 5:33 am |
| 506E to 501 | September 20, 2006, 11:48 pm |
| IDS on PIX 506e | October 26, 2006, 11:14 am |
| pix 501 vs pix 506e? | March 29, 2007, 5:21 pm |
| Pix 506e | September 26, 2007, 9:15 pm |
| PIX 506e VPN problems | August 19, 2005, 6:37 am |
| VPN and http NAT on a 506E | October 12, 2005, 7:29 am |
| 506e 2 interface | December 23, 2005, 9:47 pm |
>
> I've searched and I just have not found a simple answer to this
> question:
>
> Is the PIX safe to use as a router?
>
> Let me explain the small network I have before I'm told "The PIX is
> not a router"
>
> I have 20 users behind the PIX. Everything is working great. I just
> need the PIX to block all incoming from the WAN and only allow the
> outgoing ports I have defined. That's it, nothing else. So is it safe
> to use it as a simple router? I've followed three guides on locking it
> down and I feel that it's secure but I just want someone to tell me
> "Hey Jason, it sounds like your okay to use it in the way you have it
> setup"
>
> Thanks