«

Hi all. I own a shipping store and we have one computer that we rent
computer time on with web access, 2 point-of-sale and 1 accounting system.
The franchise co. office has just informed us that they have a new "high
security router" programed for thighter security than the simple off the
shelf D-Link that they used to provide us with. The new router is a D-Link
"advanced security and firewall" programed by a "network security guru." I
think I can do a better job with a Cisco system. I got my CCNA 5 years ago
and know a little (just enough to pass the old CCNA exam) about cisco
routers and switches. I would like to program a 2620 with a 2924 or 2912 to
get greater security and provide 3 VLANs for my network. The rental computer
is connected via network to our copy machine and I would like to keep them
separate from our point-of-sale systems and that all separate from our back
room accounting system. The "guru's" won't tell me anything about how they
programed the new router, I guess that would hurt there bottom line. I don't
have enough to get a PIX so I would like to do what I can in the 2620 and
the switch. My question is this, what would be my best plan of attack? I'm
thinking about creating a large ACL to block any ports that I won't need,
however, I don't yet know what ports that would be. I ship UPS, FedEx, DHL
and US Postal and I still have to allow for common access from the rental
computer, and know that some of these shipers use some strange ports that
there software uses - I'm still trying to find out what those ports are. Oh,
plus we are going to on-line credit card processing and will be adding
on-line system backups. Would an ACL blocking ports and some known nasty IP
ranges be a sufficient enogh way to provide security better than a
piece-O-$H1T D-Link and keep a virus or hack-attack on one system from
getting to the others? And, if so, does anyone know what ports UPS, FedEx,
DHL, US Postal, online credit card processing and common computer rental
ports are used so I can allow them in the ACL? Also, if it makes any
difference, we are using ISDN-BRI, yes I know I'm almost the last person on
earth to use BRI but I can't get anything else in this brand new
development, so I have to figure out how to program that also.
Thanks in advance for any help you can give me!
Chris

Securing a network is very complicated business, and using ACL's instead of
a firewall is not a very good idea unless you are very well versed in
security and have a sound knowledge of reflexive ACL's. A router is not a
firewall, and so configuring one to be a firewall is like trying to fit a
square peg in a round hole. Yes you can do it, but not the right tool for
the job. A PIX is a firewall and so it is can be easily configured to work
as one., and consequently a PIX is not a router, so you would not use one to
do the function of a router. I would leave the security to the "guru".

Scott
"clubfoot" <> wrote in message
news:4438b94b$...
> Hi all. I own a shipping store and we have one computer that we rent
> computer time on with web access, 2 point-of-sale and 1 accounting system.
> The franchise co. office has just informed us that they have a new "high
> security router" programed for thighter security than the simple off the
> shelf D-Link that they used to provide us with. The new router is a D-Link
> "advanced security and firewall" programed by a "network security guru." I
> think I can do a better job with a Cisco system. I got my CCNA 5 years ago
> and know a little (just enough to pass the old CCNA exam) about cisco
> routers and switches. I would like to program a 2620 with a 2924 or 2912
> to get greater security and provide 3 VLANs for my network. The rental
> computer is connected via network to our copy machine and I would like to
> keep them separate from our point-of-sale systems and that all separate
> from our back room accounting system. The "guru's" won't tell me anything
> about how they programed the new router, I guess that would hurt there
> bottom line. I don't have enough to get a PIX so I would like to do what I
> can in the 2620 and the switch. My question is this, what would be my best
> plan of attack? I'm thinking about creating a large ACL to block any ports
> that I won't need, however, I don't yet know what ports that would be. I
> ship UPS, FedEx, DHL and US Postal and I still have to allow for common
> access from the rental computer, and know that some of these shipers use
> some strange ports that there software uses - I'm still trying to find out
> what those ports are. Oh, plus we are going to on-line credit card
> processing and will be adding on-line system backups. Would an ACL
> blocking ports and some known nasty IP ranges be a sufficient enogh way to
> provide security better than a piece-O-$H1T D-Link and keep a virus or
> hack-attack on one system from getting to the others? And, if so, does
> anyone know what ports UPS, FedEx, DHL, US Postal, online credit card
> processing and common computer rental ports are used so I can allow them
> in the ACL? Also, if it makes any difference, we are using ISDN-BRI, yes I
> know I'm almost the last person on earth to use BRI but I can't get
> anything else in this brand new development, so I have to figure out how
> to program that also.
> Thanks in advance for any help you can give me!
> Chris
>

Thank you Scott for your answer. I did a little checking on ebay and found
that a PIX 501 is something that I can afford, Sorry, I was thinking back a
few years ago when a PIX 515 was in the thousands of dollars range used and
never heard of a 501 (limited exposure to some cisco products not installed
in my department). I will add it to my 2620 and also get a managed switch
(2912,26,24) so I can do the VLAN plan. I just heard of a local store who
got the new improved D-Link router/firewall and will try to get him to let
me look at the config. and program my store with that same info.. Although,
I still have to program it all and I have never touched a PIX before or
programed a Cisco router for B-ISDN so you will still hear from me in the
next few months. In your reply you talked about ""reflexive" ACL's", I don't
remember reading about them, old CCNA exam just concentrated on
basic/extended ACL's, is this something I should study up on or is it
something that the PIX will take care of for me or do I even need to worry
about them? Forgive me for sounding ignorant but, since I left the
data/teleco. world a couple of years ago, I seldom get a chance to talk
tech. and a lot fades and times have changed quickly - kind of miss it.
Kind of makes me think, experience dosen't last long in this industry!
Chris

"thrill5" <> wrote in message
news5idnTiGhYUlKKTZRVn-...
> Securing a network is very complicated business, and using ACL's instead
> of a firewall is not a very good idea unless you are very well versed in
> security and have a sound knowledge of reflexive ACL's. A router is not a
> firewall, and so configuring one to be a firewall is like trying to fit a
> square peg in a round hole. Yes you can do it, but not the right tool for
> the job. A PIX is a firewall and so it is can be easily configured to
> work as one., and consequently a PIX is not a router, so you would not use
> one to do the function of a router. I would leave the security to the
> "guru".
>
> Scott
> "clubfoot" <> wrote in message
> news:4438b94b$...
>> Hi all. I own a shipping store and we have one computer that we rent
>> computer time on with web access, 2 point-of-sale and 1 accounting
>> system. The franchise co. office has just informed us that they have a
>> new "high security router" programed for thighter security than the
>> simple off the shelf D-Link that they used to provide us with. The new
>> router is a D-Link "advanced security and firewall" programed by a
>> "network security guru." I think I can do a better job with a Cisco
>> system. I got my CCNA 5 years ago and know a little (just enough to pass
>> the old CCNA exam) about cisco routers and switches. I would like to
>> program a 2620 with a 2924 or 2912 to get greater security and provide 3
>> VLANs for my network. The rental computer is connected via network to our
>> copy machine and I would like to keep them separate from our
>> point-of-sale systems and that all separate from our back room accounting
>> system. The "guru's" won't tell me anything about how they programed the
>> new router, I guess that would hurt there bottom line. I don't have
>> enough to get a PIX so I would like to do what I can in the 2620 and the
>> switch. My question is this, what would be my best plan of attack? I'm
>> thinking about creating a large ACL to block any ports that I won't need,
>> however, I don't yet know what ports that would be. I ship UPS, FedEx,
>> DHL and US Postal and I still have to allow for common access from the
>> rental computer, and know that some of these shipers use some strange
>> ports that there software uses - I'm still trying to find out what those
>> ports are. Oh, plus we are going to on-line credit card processing and
>> will be adding on-line system backups. Would an ACL blocking ports and
>> some known nasty IP ranges be a sufficient enogh way to provide security
>> better than a piece-O-$H1T D-Link and keep a virus or hack-attack on one
>> system from getting to the others? And, if so, does anyone know what
>> ports UPS, FedEx, DHL, US Postal, online credit card processing and
>> common computer rental ports are used so I can allow them in the ACL?
>> Also, if it makes any difference, we are using ISDN-BRI, yes I know I'm
>> almost the last person on earth to use BRI but I can't get anything else
>> in this brand new development, so I have to figure out how to program
>> that also.
>> Thanks in advance for any help you can give me!
>> Chris
>>
>
>

In article <443cb57a$>,
clubfoot <> wrote:
>In your reply you talked about ""reflexive" ACL's", I don't
>remember reading about them, old CCNA exam just concentrated on
>basic/extended ACL's, is this something I should study up on or is it
>something that the PIX will take care of for me or do I even need to worry
>about them?

"reflexive ACLs" is not a concept used by the PIX 501. The PIX 501
uses "adaptive security" -- which basically means that when it
figures out that a particular data path will be needed, it automatically
internally temporarily adjusts the ACLs to accomedate the path
(there isn't any way to view the adjusted ACLs.)

So, anotherwords I can't see what path was used, say when UPS WorldShip
updates in May. I simply have to trust that it will work OK? I guess this
would be fine if the PIX temporarily adjusts the ACL's to accomedate paths
initiated from software on my systems, unless it was a trojan horse or
something like that. Forgive me if I'm starting to sound like someone who
fits in the catagory of "a little knowledge can be dangerous" but I'm trying
to figure out if I could secure my network myself or if I should call a guy
I know that maintains the network for a rather large school dist. and pay
him to set me up.
"Walter Roberson" <> wrote in message
news:gub%f.6265$WI1.3969@pd7tw2no...
> In article <443cb57a$>,
> clubfoot <> wrote:
>>In your reply you talked about ""reflexive" ACL's", I don't
>>remember reading about them, old CCNA exam just concentrated on
>>basic/extended ACL's, is this something I should study up on or is it
>>something that the PIX will take care of for me or do I even need to worry
>>about them?
>
> "reflexive ACLs" is not a concept used by the PIX 501. The PIX 501
> uses "adaptive security" -- which basically means that when it
> figures out that a particular data path will be needed, it automatically
> internally temporarily adjusts the ACLs to accomedate the path
> (there isn't any way to view the adjusted ACLs.)