Hi all,
There are a few options on the PIX to limit outbound traffic. True, they
are not on by default, and need to be configured.
The 'outbound' command has been present for most versions of the PIX, and
is used in conjunction with the 'apply outgoing_src' or 'apply
outgoing_dst'. It is sort of like IOS access lists, but not really. PIX
Outbound lists have a 'best match' policy (the entire list is parsed, and
the most specific mask is applied). PIX 5.0 & later are making revisions
in the way access lists work to make them more & more like standard IOS.
Another way is to do 'AAA' authentication for outbound connections. This
will allow your outbound connection controls to be more granular & user
based, via TACACS+ or RADIUS.
I hope those pointers help. The PIX Command Reference does have more
details on these commands, exact syntax & examples.
Thanks,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 01:45 PM 10/15/1999 -0500, H D Moore wrote:
>I really hope you arent trying to limit outbound traffic with a PIX
>alone, because the short answer is YOU CANT. I found this out the hard
>way when conducting a security audit on a credit union using only a
>Cisco PIX firewall to protect their inside machines and provide NAT.
>According to the Cisco techie I tracked down, the PIX wasn't designed to
>provide bidirectional access controls, only inbound...
>
>Just my .02...
>
>-HD
>
>http://nlog.ings.com (like nmap? try nlog!)
>http://www.secureaustin.com (its coming...)
>
>
>
>S Windhausen wrote:
> >
> > Hi Simon, we got our PIX (520) about 4 months ago, and here is my opinion.
> >
> > > We have recently purchased a PIX firewall and are in the process of
> > > configuring it.
> > >
> > > What is the use of the GUI configuration tool? Is it worth using?
> >
> > The GUI install was easy (no gotchas that I can recall). I tried using it,
> > but help wasn't that helpful.
> >
> > > How difficult is the command line language to learn with reasonable
> > > experience configuring cisco routers?
> >
> > I come from Security Admininstration, with no router configuration
> > experience. It took me a week
> > to sift through the default config and understand how to configure the PIX.
> > Depending on your
> > requirements, the line command was the easiest and fastest to implement.
> >
> > Make sure you: 1) save your original config (write floppy) 2) fully
> > understand nat; and 3) have a security
> > policy in place. Hope this helps.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
