Doubts about firewall Cisco PIX as VPN termination device

Philipp Buehler lists at FIPS.DE
Fri Jan 19 07:27:12 EST 2001


On 19/01/2001, Eric Vyncke <evyncke at CISCO.COM> wrote To VPN at SECURITYFOCUS.COM:
> [Notice my bias by looking at my email address]
:->

> >1 ) Can I use or not firewall Cisco PIX as VPN termination device ? What is
> >the security reasons for not using firewall Cisco PIX as a VPN termination
> >device ?

> - PIX: is a complete firewall with full auditing, inspection and some IDS
As Graeme Rider already mentioned, putting all security enforcement on
one 'box' is not a good thing.
The full impact is a disaster, if the PIX is 'owned' by what reason ever.
Rule of thumb: Distribute any major enforcement to different machines,
 take especially care for the IDS, so in any case of a break-in you
 can, no must, analyse the attack to prevent it in future.

I know, it's a customer demand to have a 'multi-purpose' box and the
vendors are giving this to them. But it's not wise in point of security.
Security bites - face it. Any customer not believing/accepting in this
won't ever be safe against an more or less advanced attack of his
systems and network.

There is a always a new 0-day exploit out there, which you dont know
and can't patch it. But it's rather rare, that there are enough unknown/
unpatched exploits out there to get into a distributed enforcement 'firewall'
based on different platforms. So you can significantly reduce the amount
of impact.

Of course that's more difficult to setup and maintain than a single box
w/ a nice GUI/WebFronted where you click on 'Safe Me'. But such an environment
will be only safe against kids klicking on 'Hack them' :>

Back to VPN related :> As Graeme said, redirect the unencrypted traffic
to the Firewall ! Otherwise any hacked client or branch-office is a perfect
backdoor to the central offices and other branches.

ciao
PS: Use tools you know best and are most appropriate for the job to be done!
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>
%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.
           [X] <-- nail here for new monitor

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list