'filter activex' helps alot in malicious code by blocking it at the PIX. A
good antivirus helps too as long as it's kept updated on all machines.
Allen
----- Original Message -----
From: "Tony Zhu"
To:
Sent: Wednesday, July 11, 2001 12:05 AM
Subject: RE: PIX Recommendations !!! [7:11651]
> I believe that add a PIX in front of MSP is a good approach. In my opinion
> MSP is more of an internal access control tool and for blocking certain
> undesired internal access to Internet. PIX will help you to block other
> external traffic rather than desired ones.
>
> However just add a firewall wouldn't fully secure your internal network.
If
> your LAN users visited a "wrong" web site that runs malicious code on
their
> PC, which happened numerously before, your PIX firewall is just a sitting
> duck and will watch all those damages to happen in front of it... (Unless
> you happened to know that web site address and blocked access to it
> beforehand.)
>
> Kind Regards,
>
> Tony Zhu
> WAN/LAN Communication Specialist
> Unisys Payment Services Limited (UPSL)
> ABN 70 008 408 231
> ph:02 92098804
> fax: 02 92098809
> email: [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Keith Townsend [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 11 July 2001 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX Recommendations !!! [7:11651]
>
>
> I'm looking at a similar issue. The question is how do you go about
> implementing the PIX without touching 1000 desktops and interrupting
> business. I looked at this from a Boarder Manager perspective. Very
> similar to Proxy but its a firewall as well. I would suggest you continue
> to use the Proxy server as the default gate for your internal clients.
Set
> up access lists on the PIX to only accept connections from the proxy
server
> and any clients you are bypassing the Proxy. This should be pretty
seemless
> and still secure.
>
> ""Raees Ahmed Shaikh"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Dear all,
> >
> > Thanks for all the suggestions and explanations. The main core reason
for
> > asking for the recommendations was, that I was not really sure about
the
> > critical balance between security and usability. Everybody know about
the
> > MS-Proxy and its vulnerabilities and its openness to attacks. We bought
> the
> > PIX just to secure our network from all those unknown vulnerabilities, I
> > personally thought PIX box would be a nice buy. since it is less prone
and
> > has some built-in functionality to prevent such vulnerabilities. The
> > question which I face now is production change without interrupting the
> > business, and change of activities to our end-user, meaning to say the
> > end-users should not feel that something has changed. Moreover the
> > integration of the PIX with the current NT security model, the URL
> filtering
> > option, and various DNS records modifications made me think to keep the
> > proxy in its place and add the PIX as the first line of defense.
> >
> >
Internet-----------Router-----------PIX---------------MSPROXY---------LAN
> >
> > A simple question which always comes to my mind concerning security is
> that,
> > if the internet users have sessions to our MSproxy server and internal
> > network, Isn't our internal network still vulnerable to those attacks
> which
> > were their prior putting the PIX. We have enabled Winsock apps on the
> proxy,
> > and lot of apps are been used by our LAN users. Was that PIX, worth a
buy.
> > etc etc.
> >
> > Still not sure how the final design will look like. Just putting more
> time
> > and research onto it.
> >
> > Thanks and Regards,
> >
> > Shaikh Raees
> >
> > [GroupStudy.com removed an attachment of type image/jpeg which had a
name
> of
> > Glacier Bkgrd.jpg]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11946&t=11651
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
