Testing A Cisco PIX 501

Hi Everyone,

I recently installed a Cisco PIX 501 and would like to test out my
security. How might I go about this? Websites like GRC dot com perhaps?
I am very new at this all and would appreciate the most basic of
suggestions.

ALSO:

In the past I had Zone Alarm Pro installed and often I would get pop
ups asking if I would like to allow a certain connection. For example
my anti virus program would like to check for updated definitions. Now
that I have the Cisco installed and still have Zone Alarm Pro I
continue to get these messages. If I were to uninstall Zone Alarm Pro
would these connections be allowed without my permission? If so that
does not seem to secure.. If anyone has an idea where I am coming from
please explain how I can set the Cisco to alert me to attempted
connections by whatever is trying to "phone home".

Thank You Everyone.

PS: To those that have emailed me regarding my various newbie
questions, I think it might be better to answer here in the newsgroup
so that others in the future might benefit from your answer as well.

Re: Testing A Cisco PIX 501

CISCO PIX501 is not a application firewall its a hardware firewall it
will never give you popup
for any application connecting Inside to outside interface. By Default
PIX works like:
-All inside is allowed to outside zone
-Alloutside is denied to inside interface.

So you an block/filter the Application /Ports runing from inside to
outside through access-list.



CK




Networking Student wrote:
> Hi Everyone,
>
> I recently installed a Cisco PIX 501 and would like to test out my
> security. How might I go about this? Websites like GRC dot com perhaps?
> I am very new at this all and would appreciate the most basic of
> suggestions.
>
> ALSO:
>
> In the past I had Zone Alarm Pro installed and often I would get pop
> ups asking if I would like to allow a certain connection. For example
> my anti virus program would like to check for updated definitions. Now
> that I have the Cisco installed and still have Zone Alarm Pro I
> continue to get these messages. If I were to uninstall Zone Alarm Pro
> would these connections be allowed without my permission? If so that
> does not seem to secure.. If anyone has an idea where I am coming from
> please explain how I can set the Cisco to alert me to attempted
> connections by whatever is trying to "phone home".
>
> Thank You Everyone.
>
> PS: To those that have emailed me regarding my various newbie
> questions, I think it might be better to answer here in the newsgroup
> so that others in the future might benefit from your answer as well.

Re: Testing A Cisco PIX 501

Boger wrote:
> Hardware firewalls are not hooking to the kernel so
> traffic from inside to outside is gonna be aloud.
> Small example: If you install a key-logger for example
> and it uses let's say 53 DNS port or HTTP 80 port
> with encrypted traffic ..Like the Ghost from Starcraft
> used to say "Never know what hit them!!!"
> It is gonna go out unnoticed .
> Hardware firewalls cannot determent witch program
> makes the call outside.

And "Software-Firewalls" cannot either.

Yours,
VB.
--
"Life was simple before World War II. After that, we had systems."
Grace Hopper

Re: Testing A Cisco PIX 501

Networking Student wrote:
> I recently installed a Cisco PIX 501 and would like to test out my
> security. How might I go about this?

Define a security concept. Define the threats you want to be secure
from. Implement parts of this concept with your 501. Define a testing
scenario. Optionally write a test bench. Test your implementation.

> Websites like GRC dot com perhaps?

http://www.grcsucks.com

> I am very new at this all and would appreciate the most basic of
> suggestions.

Your're welcome.

> In the past I had Zone Alarm Pro installed and often I would get pop
> ups asking if I would like to allow a certain connection. For example
> my anti virus program would like to check for updated definitions. Now
> that I have the Cisco installed and still have Zone Alarm Pro I
> continue to get these messages. If I were to uninstall Zone Alarm Pro
> would these connections be allowed without my permission?

Yes. But this doesn't matter, because "controlling outbound" is a b0rken
concept anyways.

Yours,
VB.
--
"Life was simple before World War II. After that, we had systems."
Grace Hopper

Re: Testing A Cisco PIX 501

Boger wrote:
> Blue or red and the stack ???
> He wants something simple.....

He didn't say, that he wants something dumb.

Yours,
VB.
--
"Life was simple before World War II. After that, we had systems."
Grace Hopper

Re: Testing A Cisco PIX 501

>If you install a key-logger for example
> and it uses let's say 53 DNS port or HTTP 80 port
> with encrypted traffic ..Like the Ghost from Starcraft
> used to say "Never know what hit them!!!"
> It is gonna go out unnoticed .
> Hardware firewalls cannot determent witch program
> makes the call outside.

Hmmm.. So how does one protect against keyloggers? From what I
understand it is possible to infect ones PC by going to the wrong
website with the wrong Browser or the wrong combo of Browser, Antivirus
etc - in other words if one manages to pick one up somehow (a
keylogger) how can it be prevented from working?

Is there a solution? Software perhaps like "Ad-Watch SE Professional"
or "Spy Sweeper"?

To the others that participated in this thread: It's all somewhat above
my head right now. I am figuring things out SLOWLY. Imagine you were
trying to swim across a river but you could barely dog paddle and there
was a current...

I do appreciate the input though.

>Define a security concept. Define the threats you want to be secure
>from. Implement parts of this concept with your 501. Define a testing
>scenario. Optionally write a test bench. Test your implementation.

I would like to, for example, be safer from trojans. But trojans
connect from many different ports - where do I start blocking, and how?
I don't suppose that is the way to go about it anyway. But it is an
example of where I am coming from.

What is an example of a security concept? My cable modem is cabled to
my PIX, my PC is also cabled to the PIX and my wireless router is also
cabled to the PIX. I am most concerned about the hardwired PC.

I would most appreciate an answer in the following form:

"This Will Enable The XYZ Feature of the PIX"
1. turn on pc.
2. start hyperterminal.... and go to the PIX command line.
3. take a deep breath.
4. type "enable" without the quotes.
5. .......
6. .......
7. Now your PC is more secure in the following sense.....

To anyone who is amazed at my lack of understanding.. No one is
required to answer my questions.

To anyone that needs tips on rebuilding and maintaining Harley
Davidsons, or how to do more safely attempt high speed wheelies and
stoppies feel free to ask :)

Peace

Re: Testing A Cisco PIX 501

Volker Birk wrote:

>
> Boger wrote:
>> Hardware firewalls are not hooking to the kernel so
>> traffic from inside to outside is gonna be aloud.
>> Small example: If you install a key-logger for example
>> and it uses let's say 53 DNS port or HTTP 80 port
>> with encrypted traffic ..Like the Ghost from Starcraft
>> used to say "Never know what hit them!!!"
>> It is gonna go out unnoticed .
>> Hardware firewalls cannot determent witch program
>> makes the call outside.
>
> And "Software-Firewalls" cannot either.
>
> Yours,
> VB.
Blue or red and the stack ???
He wants something simple.....

Re: Testing A Cisco PIX 501

Hardware firewalls are not hooking to the kernel so
traffic from inside to outside is gonna be aloud.
Small example: If you install a key-logger for example
and it uses let's say 53 DNS port or HTTP 80 port
with encrypted traffic ..Like the Ghost from Starcraft
used to say "Never know what hit them!!!"
It is gonna go out unnoticed .
Hardware firewalls cannot determent witch program
makes the call outside.

Re: Testing A Cisco PIX 501

Networking Student wrote:
>
> Hmmm.. So how does one protect against keyloggers? From what I
> understand it is possible to infect ones PC by going to the wrong
> website with the wrong Browser or the wrong combo of Browser, Antivirus
> etc - in other words if one manages to pick one up somehow (a
> keylogger) how can it be prevented from working?

Networking Student. The real problem here in my opinion is "Windows
like
operating systems", and "windows like applications"... When I run nmap
from
my XP at my Solaris box, it returns something like, "i think there is
an computer
there and it might be up"... This is key to understanding why an OS
like UNIX/LINUX
which has TCP/IP built into the kernel (or of course a cisco router
which has a realtime UNIX-like kernel (IOS). I don't know this for a
"fact" but i have heard (from a UNIX
kernel guru) that a PIX box doesn't run a kernel is has a firmware
dedicated application whose MAIN job is to read the access list and
match IP's, and subnets to ports...in
hardware/firmware.

The point is that an operating system like Windows (where TCP/IP was an
"add on"
in 1998 can't compete with a dedicated realtime kernel whose only job
is matching
ports with IP's, and subnets... Especially when an operating system
like UNIX/
Solaris/LINUX at least can be made to become a black box (a network
brick)...

Not that is always is... but CAN be made into a network brick.

Dr Eugene Schultz said at SANS a few years ago that IE minimized and
just "running"
on a Windows like box opens up some large number (I think it was 40,
but don't quote me
on the number..) vulnerabilities... So imagine the gigantic number of
holes in the entire
mess... remote administrative ports, wide open by default; programs
that are all huge
black boxes of bloatware... I won't go on and on.. but I think you get
the picture...

How can an application firewall running on a Windows box really compare
to Gauntlet
or FW-1, where it looks like a GUI, but in fact is locking down IP's,
subnets and ports
at the kernel's IP layer compare (yes one does have to struggle above
that layer with
application issues...One has to be aware of what programs are doing...
But with
OpenSource UNIX/LINUX one can "go to the source" and look at what the
programs
are doing, but one CAN... With Windows most of the source is only
avalaible to
people inside the MS Developers groups... and all the other junk is all
black box
stuff where normal users or even MS certified folks don't have access
to the
source... Yes it can be disassembled, but how many of us have time to
dissassemble
*everything* it that world? I think this is why so many people on this
list understand
that you can't really trust that "world"...

If you are running strong authentication and strong encryption
applications (like
SSH) through a box (be it a PIX, or a UNIX box hardened down to a
network
brick, with only minimized services (no NFS, no NIS, no applications
not
needed, at least you have a reasonable shot at having a Bastion Host
which
can actually stop unwanted traffic). not perfect, but not impossible
to secure..

Add to this picture a choke and firewall router pair that add
additional layers
to the "firewall" picture.

>
> Is there a solution? Software perhaps like "Ad-Watch SE Professional"
> or "Spy Sweeper"?

Better than nothing in my opinion, but running on an open wound of an
OS.... Sorry Bill Gates.. ;-)

> >Define a security concept. Define the threats you want to be secure
> >from. Implement parts of this concept with your 501. Define a testing
> >scenario. Optionally write a test bench. Test your implementation.

> I would like to, for example, be safer from trojans. But trojans
> connect from many different ports - where do I start blocking, and how?
> I don't suppose that is the way to go about it anyway. But it is an
> example of where I am coming from.

You are on the right track, in my opinion.. Keep thinking about IP's,
ports,
subnets... Then look into security programs that match IP's to
Ethernet
addresses (to identify machines pretending to be other machines)
Start with a network brick and then add applications one by one,
matching
them against a vulnerability database, preferabily applications that
are
OpenSource... where you can at least look at the code, and others have.

A group like comp.security.firewalls has many more eyes than any one of
us, so if we work together we can identify applications that are
insecure
easier if we stay focused on the ball.

>
> What is an example of a security concept? My cable modem is cabled to
> my PIX, my PC is also cabled to the PIX and my wireless router is also
> cabled to the PIX. I am most concerned about the hardwired PC.

> I would most appreciate an answer in the following form:
>
> "This Will Enable The XYZ Feature of the PIX"
> 1. turn on pc.
> 2. start hyperterminal.... and go to the PIX command line.
> 3. take a deep breath.
> 4. type "enable" without the quotes.

Smart network student... move to the head of the class... The Force is
with you Luke... :-)

> Peace Right On Brother...

Re: Testing A Cisco PIX 501

Networking Student wrote:
> So how does one protect against keyloggers?

Don't install keyloggers. Don't use hardware keyloggers. If there are
keyloggers already, there is no way to be sure no one is there.

You can try to find, of course.

Yours,
VB.
--
"Life was simple before World War II. After that, we had systems."
Grace Hopper