Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 & 4700 & virus proction?

Reply
Thread Tools

PIX 501 & 4700 & virus proction?

 
 
John Cadella
Guest
Posts: n/a
 
      11-21-2004
Hi,
I was able to get our 4700 & Pix 501 properly configured thanks to Walter!

The next task is to protect the 4700 segments from each other in case one
has a pc or laptop connected that has a virus? The scenario is when we
bring in customer PCs for repair, we need internet conectivity, but want to
protect the other segments in the business from potential viruses that might
spread from the Tech dept segment.

Would I use an access list or maybe a router can't prevent viruses from
spreading amoung it's segments?
John


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-21-2004
In article <A8Rnd.26774$(E-Mail Removed)> ,
John Cadella <(E-Mail Removed)> wrote:
:The next task is to protect the 4700 segments from each other in case one
:has a pc or laptop connected that has a virus? The scenario is when we
:bring in customer PCs for repair, we need internet conectivity, but want to
rotect the other segments in the business from potential viruses that might
:spread from the Tech dept segment.

:Would I use an access list or maybe a router can't prevent viruses from
:spreading amoung it's segments?

You might try an approach such as this:

Set aside specific jacks for connecting customer computers. Put those
jacks into different vlans (from anything else you use; different
than the other customer jacks too so you don't end up spreading
viruses between customer computers.) Set a specific customer IP address
for each vlan.

On the 4700, set up one interface or subinterface (as appropriate)
for each VLAN, and set ACLs on that interface to permit out -only-
the one IP you have assigned for use on that VLAN, and set the ACLs
to permit traffic to -only- the systems and ports that you absolutely
need in order to launch the tools you need to repair and cleanse
the system. Keep in mind, though, that if a system is infected,
then it may be infected in a way that disables virus checkers and
so on from running correctly, so really you should book from a
special CD (or floopy) that contains thorough checking and repair tools.

You want to set up these ACLs on the 4700 rather than the PIX for
a couple of reasons.

1) The 4700 can handle VLANs [if you have an appropriate software
release] but the PIX 501 has no VLAN support. (The 515/515E, 520, 525,
and 535 all have VLAN support as of 6.3.1, and the 506/506E gained
support for 1 VLAN in 6.3(4)).

2) You don't want the various vlans to have a chance to route to each
other before you get to the filtering device, so you don't want to just
route on the 4700 and send the packets to the PIX: that would allow the
customer computers to talk to each other and to your internal machines
without the PIX getting involved.
--
When your posts are all alone / and a user's on the phone/
there's one place to check -- / Upstream!
When you're in a hurry / and propagation is a worry/
there's a place you can post -- / Upstream!
 
Reply With Quote
 
 
 
 
John Smith
Guest
Posts: n/a
 
      11-21-2004
above all else, if virus protection is your biggest concern when connecting
_external_ pcs to your network invest in some commercial quality virus
protection software, especially something server/client based.
viruses/trojans can spread randomly through any port they are programmed to
spread through (not just via email anymore) so it is impossible to build
ACLs based on _only_ known viruses. SYmantec or McAfee should suit your
needs on this... make sure your server antivirus software is updating
_daily_ and that your client antivirus software is configured properly to
pull virus defs from your internal server... even if you only give one pc
access to one pc accross vlans, all it takes is one unprotected pc to catch
a virus and spread it to all others in the same vlan...

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cnp2bl$5qk$(E-Mail Removed)...
> In article <A8Rnd.26774$(E-Mail Removed)> ,
> John Cadella <(E-Mail Removed)> wrote:
> :The next task is to protect the 4700 segments from each other in case one
> :has a pc or laptop connected that has a virus? The scenario is when we
> :bring in customer PCs for repair, we need internet conectivity, but want
> to
> rotect the other segments in the business from potential viruses that
> might
> :spread from the Tech dept segment.
>
> :Would I use an access list or maybe a router can't prevent viruses from
> :spreading amoung it's segments?
>
> You might try an approach such as this:
>
> Set aside specific jacks for connecting customer computers. Put those
> jacks into different vlans (from anything else you use; different
> than the other customer jacks too so you don't end up spreading
> viruses between customer computers.) Set a specific customer IP address
> for each vlan.
>
> On the 4700, set up one interface or subinterface (as appropriate)
> for each VLAN, and set ACLs on that interface to permit out -only-
> the one IP you have assigned for use on that VLAN, and set the ACLs
> to permit traffic to -only- the systems and ports that you absolutely
> need in order to launch the tools you need to repair and cleanse
> the system. Keep in mind, though, that if a system is infected,
> then it may be infected in a way that disables virus checkers and
> so on from running correctly, so really you should book from a
> special CD (or floopy) that contains thorough checking and repair tools.
>
> You want to set up these ACLs on the 4700 rather than the PIX for
> a couple of reasons.
>
> 1) The 4700 can handle VLANs [if you have an appropriate software
> release] but the PIX 501 has no VLAN support. (The 515/515E, 520, 525,
> and 535 all have VLAN support as of 6.3.1, and the 506/506E gained
> support for 1 VLAN in 6.3(4)).
>
> 2) You don't want the various vlans to have a chance to route to each
> other before you get to the filtering device, so you don't want to just
> route on the 4700 and send the packets to the PIX: that would allow the
> customer computers to talk to each other and to your internal machines
> without the PIX getting involved.
> --
> When your posts are all alone / and a user's on the phone/
> there's one place to check -- / Upstream!
> When you're in a hurry / and propagation is a worry/
> there's a place you can post -- / Upstream!









 
Reply With Quote
 
Tosh
Guest
Posts: n/a
 
      11-22-2004
> The next task is to protect the 4700 segments from each other in case one
> has a pc or laptop connected that has a virus? The scenario is when we
> bring in customer PCs for repair, we need internet conectivity, but want
> to protect the other segments in the business from potential viruses that
> might spread from the Tech dept segment.
>

You can plug in a "content inspector" like fortigate, it'll analize all the
traffic flowing through it against viruses and attacks, this is what they
say about their product.
Bye,
Tosh.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
2 subnets can't route over 4700 to pix 501 JohnC Cisco 5 11-19-2004 05:50 AM
using 4700 to study for CCNA & CCSP John Cadella Cisco 2 12-15-2003 04:53 AM
Cisco 4700/2600 running as PPPoE Terminator Francisco Rivas Cisco 1 07-22-2003 02:54 PM



Advertisments