1. Home
  2. Cisco Systems
  3. Secure network question???

Secure network question???

Hi all. I own a shipping store and we have one computer that we rent computer time on with web access, 2 point-of-sale and 1 accounting system. The franchise co. office has just informed us that they have a new "high security router" programed for thighter security than the simple off the shelf D-Link that they used to provide us with. The new router is a D-Link "advanced security and firewall" programed by a "network security guru." I think I can do a better job with a Cisco system. I got my CCNA 5 years ago and know a little (just enough to pass the old CCNA exam) about cisco routers and switches. I would like to program a 2620 with a 2924 or 2912 to get greater security and provide 3 VLANs for my network. The rental computer is connected via network to our copy machine and I would like to keep them separate from our point-of-sale systems and that all separate from our back room accounting system. The "guru's" won't tell me anything about how they programed the new router, I guess that would hurt there bottom line. I don't have enough to get a PIX so I would like to do what I can in the 2620 and the switch. My question is this, what would be my best plan of attack? I'm thinking about creating a large ACL to block any ports that I won't need, however, I don't yet know what ports that would be. I ship UPS, FedEx, DHL and US Postal and I still have to allow for common access from the rental computer, and know that some of these shipers use some strange ports that there software uses - I'm still trying to find out what those ports are. Oh, plus we are going to on-line credit card processing and will be adding on-line system backups. Would an ACL blocking ports and some known nasty IP ranges be a sufficient enogh way to provide security better than a piece-O-$H1T D-Link and keep a virus or hack-attack on one system from getting to the others? And, if so, does anyone know what ports UPS, FedEx, DHL, US Postal, online credit card processing and common computer rental ports are used so I can allow them in the ACL? Also, if it makes any difference, we are using ISDN-BRI, yes I know I'm almost the last person on earth to use BRI but I can't get anything else in this brand new development, so I have to figure out how to program that also. Thanks in advance for any help you can give me! Chris

Reply to
clubfoot
Loading thread data ...

Securing a network is very complicated business, and using ACL's instead of a firewall is not a very good idea unless you are very well versed in security and have a sound knowledge of reflexive ACL's. A router is not a firewall, and so configuring one to be a firewall is like trying to fit a square peg in a round hole. Yes you can do it, but not the right tool for the job. A PIX is a firewall and so it is can be easily configured to work as one., and consequently a PIX is not a router, so you would not use one to do the function of a router. I would leave the security to the "guru".

Reply to
thrill5

Thank you Scott for your answer. I did a little checking on ebay and found that a PIX 501 is something that I can afford, Sorry, I was thinking back a few years ago when a PIX 515 was in the thousands of dollars range used and never heard of a 501 (limited exposure to some cisco products not installed in my department). I will add it to my 2620 and also get a managed switch (2912,26,24) so I can do the VLAN plan. I just heard of a local store who got the new improved D-Link router/firewall and will try to get him to let me look at the config. and program my store with that same info.. Although, I still have to program it all and I have never touched a PIX before or programed a Cisco router for B-ISDN so you will still hear from me in the next few months. In your reply you talked about ""reflexive" ACL's", I don't remember reading about them, old CCNA exam just concentrated on basic/extended ACL's, is this something I should study up on or is it something that the PIX will take care of for me or do I even need to worry about them? Forgive me for sounding ignorant but, since I left the data/teleco. world a couple of years ago, I seldom get a chance to talk tech. and a lot fades and times have changed quickly - kind of miss it. Kind of makes me think, experience dosen't last long in this industry! Chris

Reply to
clubfoot

"reflexive ACLs" is not a concept used by the PIX 501. The PIX 501 uses "adaptive security" -- which basically means that when it figures out that a particular data path will be needed, it automatically internally temporarily adjusts the ACLs to accomedate the path (there isn't any way to view the adjusted ACLs.)

Reply to
Walter Roberson

Reply to
clubfoot

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.