Isolating a network with Pix

Discussion in 'Cisco' started by david, Jan 13, 2005.

  1. david

    david Guest

    I have a client who's nieghbor has a T1 connection into a Pix firewall.
    Model number escapes me atm. Their concern with sharing the connection
    with my client is security. They are concerned that my client will be
    able to see thier network.

    my client has 5 workstations and is a NFP org. They need access to the
    internet for whatever reason.

    Here was my solution.

    drop a SOHO router between the Pix and T1 connection.
    I've never configured Pix but speaking from a router point of view,
    Isolate the network using ACL so no broadcast from my client network can
    pass.

    This would prevent my client from ever realizing there is a network
    there. correct?

    Will this work?

    Also, If I need to buy a better router than a Linksys SOHO or any type
    like that, please recommend.


    Thanks

    Dave
    david, Jan 13, 2005
    #1
    1. Advertising

  2. In article <JNoFd.9553$6b.7026@trndny07>, david <> wrote:
    :I have a client who's nieghbor has a T1 connection into a Pix firewall.
    :Model number escapes me atm. Their concern with sharing the connection
    :with my client is security. They are concerned that my client will be
    :able to see thier network.

    :my client has 5 workstations and is a NFP org. They need access to the
    :internet for whatever reason.

    :Here was my solution.

    :drop a SOHO router between the Pix and T1 connection.

    You could make that one of the Cisco SOHO 90 line, but watch
    out for potential limits on the number of hosts -- those devices
    don't necessarily have large ARP caches. The Cisco 831 is also
    certainly plausible. But for either the SOHO 9x or 831, I would
    want to know what PIX model the neighbour has now so as to get
    an idea of whether the SOHO 9x or 831 would end up being the
    bottleneck. Even an entry level PIX (the PIX 501) is faster
    than the SOHO 9x or 83x for everything (except DES or 3DES -- maximum
    3DES rate on the 83x is slightly higher than on the PIX 501
    because the 83x uses hardware DES/3DES acceleration.)


    :I've never configured Pix but speaking from a router point of view,
    :Isolate the network using ACL so no broadcast from my client network can
    :pass.

    Keep in mind that if you interpose a router between the
    existing T1 router and the PIX, that you are going to have
    to change the IP address of either the inside of the
    existing router or of the outside of the PIX. Routers
    (and PIXes) need interfaces to be in different subnets.
    The easiest approach might be to use an RFC1918 /30 between
    the existing WAN router and the proposed new router,
    provided that you take care of the RFC requirements not
    to allow IPs with private addresses out onto the net
    (think of icmp echo-reply, icmp ttl-exceeded, icmp frag-needed).


    You could try working at Layer 2, putting in a switch that
    could do MAC level filtering, blocking out frames with
    a broadcast or multicast MAC address. But then you might
    have trouble getting your clients to be able to ARP the
    WAN router.

    The Cisco 2950 series allows you to put layer 3 filters
    in even though it doesn't do routing.

    Does the neighbour perchance have a spare IP address in
    their allocated external range? If so, then here's a hack
    that will work:

    Take a PIX 501, plug the line from the WAN router into
    it's *inside* interface, and plug a line to the neighbour's
    PIX into a different port on the *inside* interface.
    The PIX 501 has a 4 port switch as it's inside interface
    so this will not require any IP address changes to the router
    or the existing PIX. Connect the outside interface of the PIX 501
    to your client's switch.

    Now, configure the PIX to do "reverse NAT", so that IP
    addresses that come in from the outside interface
    (your client) have their source IP mapped into the borrowed IP in
    the public range. You can put on whatever ACLs you want to
    block it your client from going to the other IPs of the
    neighbour, but you would remind the neighbour that with this
    setup, your client would be connected to the -outside- of the
    neighbour's PIX, and so your client would not be able to reach
    anything that the neighbour did not permit them to reach. But put
    in ACLs anyhow in order to protect your client from the outside world.

    The PIX 501 can handle 60 megabits per second of cleartext,
    which is more than fast enough for a T1.. and besides, the
    neighbour would have their connection switched to the router,
    so the speed that the 501 could process ACLs and packet
    inspection wouldn't matter to the neighbour.

    The entry level PIX 501 has a limit of 10 "users". In practice that's a
    limit on the number of different source IPs that can be translated
    simultaneously simultaneously. The WAN router shouldn't count for
    anything (because it isn't likely to send you traffic on it's -own-
    IP). That would leave 10 sites that your internal users could be
    visiting simultaneously. (Keep in mind, though, that it isn't uncommon
    for a web site to serve up native content from two different location,
    plus to serve up an advertisement from a different location, and
    possibly to serve up "webbugs" or tracking cookies from a 4th location.
    Add at least one for DNS as well.) If this limit proved to be a problem
    then there is a 50 "user" license upgrade for the 501, and an
    unlimited license as well.

    Usually it is a much better buy to go for a PIX 506E (faster plus no
    license limit) than the 50 user license on a PIX 501, but the 506E does
    not have the 4 port switch, so unless the neighbour already happened
    to have a switch there, you would have to add in a switch. Nearly
    any switch should serve, since the maximum rate would
    be T1 speed in each direction. The 506E is a noticably higher
    cost than the 501.


    Now that I think of it, you can go for a much less expensive
    option than a PIX 501. Get an inexpensive switch and get a
    broadband firewall (e.g., Linksys BEFW11S4), borrow a public
    IP from the neighbour, and arrange in much the same topology as
    above except with the firewall "right way around". Having the
    501 flipped around from its usual configuration was just in order
    to allow the 4 port built in switch to be on the outside, but if
    you put an external switch there then that isn't an issue.
    Instead of the Linksys broadband firewall you might want to consider
    the equivilent model of D-Link, available with an built-in 8 port switch
    to plug your client's 5 users into [this is not the same switch
    as the one that would have to go outside.] Anyhow, with this
    configuration you would have the same advantage as before: your
    client's data would show up on the -outside- of the neighbour's
    PIX so the neighbour can do whatever filtering they want of it.

    The firewall you would get for you client would depend upon the
    security assessment survey you did for the company: if they don't
    have much to protect, then a SOHO firewall might be fine; if they
    are dealing with more sensitive issues or higher dollar amounts
    then you'd have the usual concerns about using a firewall with
    an established history and which has been officially certified.

    --
    History is a pile of debris -- Laurie Anderson
    Walter Roberson, Jan 13, 2005
    #2
    1. Advertising

  3. david

    david Guest

    Walter Roberson wrote:
    > In article <JNoFd.9553$6b.7026@trndny07>, david <> wrote:
    > :I have a client who's nieghbor has a T1 connection into a Pix firewall.
    > :Model number escapes me atm. Their concern with sharing the connection
    > :with my client is security. They are concerned that my client will be
    > :able to see thier network.
    >
    > :my client has 5 workstations and is a NFP org. They need access to the
    > :internet for whatever reason.
    >
    > :Here was my solution.
    >
    > :drop a SOHO router between the Pix and T1 connection.
    >
    > You could make that one of the Cisco SOHO 90 line, but watch
    > out for potential limits on the number of hosts -- those devices
    > don't necessarily have large ARP caches. The Cisco 831 is also
    > certainly plausible. But for either the SOHO 9x or 831, I would
    > want to know what PIX model the neighbour has now so as to get
    > an idea of whether the SOHO 9x or 831 would end up being the
    > bottleneck. Even an entry level PIX (the PIX 501) is faster
    > than the SOHO 9x or 83x for everything (except DES or 3DES -- maximum
    > 3DES rate on the 83x is slightly higher than on the PIX 501
    > because the 83x uses hardware DES/3DES acceleration.)
    >
    >
    > :I've never configured Pix but speaking from a router point of view,
    > :Isolate the network using ACL so no broadcast from my client network can
    > :pass.
    >
    > Keep in mind that if you interpose a router between the
    > existing T1 router and the PIX, that you are going to have
    > to change the IP address of either the inside of the
    > existing router or of the outside of the PIX. Routers
    > (and PIXes) need interfaces to be in different subnets.
    > The easiest approach might be to use an RFC1918 /30 between
    > the existing WAN router and the proposed new router,
    > provided that you take care of the RFC requirements not
    > to allow IPs with private addresses out onto the net
    > (think of icmp echo-reply, icmp ttl-exceeded, icmp frag-needed).
    >
    >
    > You could try working at Layer 2, putting in a switch that
    > could do MAC level filtering, blocking out frames with
    > a broadcast or multicast MAC address. But then you might
    > have trouble getting your clients to be able to ARP the
    > WAN router.
    >
    > The Cisco 2950 series allows you to put layer 3 filters
    > in even though it doesn't do routing.
    >
    > Does the neighbour perchance have a spare IP address in
    > their allocated external range? If so, then here's a hack
    > that will work:
    >
    > Take a PIX 501, plug the line from the WAN router into
    > it's *inside* interface, and plug a line to the neighbour's
    > PIX into a different port on the *inside* interface.
    > The PIX 501 has a 4 port switch as it's inside interface
    > so this will not require any IP address changes to the router
    > or the existing PIX. Connect the outside interface of the PIX 501
    > to your client's switch.
    >
    > Now, configure the PIX to do "reverse NAT", so that IP
    > addresses that come in from the outside interface
    > (your client) have their source IP mapped into the borrowed IP in
    > the public range. You can put on whatever ACLs you want to
    > block it your client from going to the other IPs of the
    > neighbour, but you would remind the neighbour that with this
    > setup, your client would be connected to the -outside- of the
    > neighbour's PIX, and so your client would not be able to reach
    > anything that the neighbour did not permit them to reach. But put
    > in ACLs anyhow in order to protect your client from the outside world.
    >
    > The PIX 501 can handle 60 megabits per second of cleartext,
    > which is more than fast enough for a T1.. and besides, the
    > neighbour would have their connection switched to the router,
    > so the speed that the 501 could process ACLs and packet
    > inspection wouldn't matter to the neighbour.
    >
    > The entry level PIX 501 has a limit of 10 "users". In practice that's a
    > limit on the number of different source IPs that can be translated
    > simultaneously simultaneously. The WAN router shouldn't count for
    > anything (because it isn't likely to send you traffic on it's -own-
    > IP). That would leave 10 sites that your internal users could be
    > visiting simultaneously. (Keep in mind, though, that it isn't uncommon
    > for a web site to serve up native content from two different location,
    > plus to serve up an advertisement from a different location, and
    > possibly to serve up "webbugs" or tracking cookies from a 4th location.
    > Add at least one for DNS as well.) If this limit proved to be a problem
    > then there is a 50 "user" license upgrade for the 501, and an
    > unlimited license as well.
    >
    > Usually it is a much better buy to go for a PIX 506E (faster plus no
    > license limit) than the 50 user license on a PIX 501, but the 506E does
    > not have the 4 port switch, so unless the neighbour already happened
    > to have a switch there, you would have to add in a switch. Nearly
    > any switch should serve, since the maximum rate would
    > be T1 speed in each direction. The 506E is a noticably higher
    > cost than the 501.
    >
    >
    > Now that I think of it, you can go for a much less expensive
    > option than a PIX 501. Get an inexpensive switch and get a
    > broadband firewall (e.g., Linksys BEFW11S4), borrow a public
    > IP from the neighbour, and arrange in much the same topology as
    > above except with the firewall "right way around". Having the
    > 501 flipped around from its usual configuration was just in order
    > to allow the 4 port built in switch to be on the outside, but if
    > you put an external switch there then that isn't an issue.
    > Instead of the Linksys broadband firewall you might want to consider
    > the equivilent model of D-Link, available with an built-in 8 port switch
    > to plug your client's 5 users into [this is not the same switch
    > as the one that would have to go outside.] Anyhow, with this
    > configuration you would have the same advantage as before: your
    > client's data would show up on the -outside- of the neighbour's
    > PIX so the neighbour can do whatever filtering they want of it.
    >
    > The firewall you would get for you client would depend upon the
    > security assessment survey you did for the company: if they don't
    > have much to protect, then a SOHO firewall might be fine; if they
    > are dealing with more sensitive issues or higher dollar amounts
    > then you'd have the usual concerns about using a firewall with
    > an established history and which has been officially certified.
    >

    Seeing that I am trying to keep the cost down, the security on my
    clients end isn't very sensitive. Mostly website medical billing as far
    as bandwidth is concerned.

    I'll price out the Dlink with 8 ports. I think I'll just reconfigure the
    "outside" Ip on the PIX and DMZ that port with the SOHO firewall.

    Modify or add any ACL's that may need to be in place (Probably not) I
    didn't do the original PIX config but it should be secure enough anyway.

    I'm not sure what the neighbor's setup is as far as clien WS and bandwidth.

    Thanks for your feedback and reinforcing my initial thoughts.

    I'll post later after touring the office.

    Dave
    david, Jan 13, 2005
    #3
  4. david

    david Guest

    Followup

    OK

    I surveyed the office and new clients office. The nieghbor is upstairs
    from her suite. His main concerns are security and bandwidth.

    I offered the solution on dropping a switch between his firewall and the
    T1 and split to my clients office. he's ok with that idea.

    second is bandwidth, can someone recommend a cost effective switch or
    router that I can allocate bandwidth percentage for each port?

    The switch is to 3 clients T1, Landlord, my client.

    I would like to give 70% bandwidth to landlord, 30% to my client.


    Thanks,

    Dave
    david, Jan 13, 2005
    #4
  5. Re: Followup

    In article <yYCFd.652$Vx2.30@trndny01>, david <> wrote:
    :second is bandwidth, can someone recommend a cost effective switch or
    :router that I can allocate bandwidth percentage for each port?

    I'm not up on what is available in the low end for this purpose.
    Neither Linksys nor D-Link have such a product. Netgear has one
    product, which appears to retail for about $US 1250 [it's actually
    a gigabit switch.]

    The lowest priced current Cisco device that I can think of at
    the moment for this is the WS-C2950T-24 . That's 24x10/100 + 2 x 1000BaseT
    with Enhanced Image; its retail price starts about $US800.

    The Cisco 831 router has rate limiting, and a price tag starting
    about half of the C2950T-24, but it only has two interfaces. Therefore
    it would make sense to get an inexpensive switch that wasn't
    particularily smart and put an 831 between the WAN router and the
    switch and plug the users into that.
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
    Walter Roberson, Jan 14, 2005
    #5
  6. In article <zzvFd.2$hC2.1@trndny04>, david <> wrote:
    :Seeing that I am trying to keep the cost down, the security on my
    :clients end isn't very sensitive. Mostly website medical billing as far
    :as bandwidth is concerned.

    I'm having a bit of trouble picturing the situation. Earlier you
    indicated that your client had about 5 users, and is a NFP, which I
    took to mean Not For Profit. Perhaps it is because I am not in the USA,
    but I cannot think at the moment of why a 5-user Not For Profit would
    have any signficant amount of website medical billing on behalf of
    their own employees. If they are doing medical billing on behalf of
    other people (I don't know... say a small charity-supported x-ray
    clinic) then anywhere I can think of in the USA, very strict patient
    information privacy regulations kick in that would require that a good
    computer security system be put in place, possibly even requiring a
    "certified" firewall.

    We get around the issues here by never putting patient identification
    online, only ever writing it out the keys by hand in journals that get
    locked away when not actively in use. If we had patient names
    online, even just as a part of "billing", then we would fall under
    the provincial patient data security legislation, which would be
    fairly costly to impliment.


    :I'll price out the Dlink with 8 ports. I think I'll just reconfigure the
    :"outside" Ip on the PIX and DMZ that port with the SOHO firewall.

    That to me implies an extra layer of network address translation
    at the SOHO firewall. That could -potentially- cause significant
    problems, as SOHO firewalls usually do not go as deeply into packets
    as the PIX does [some other brands of non-SOHO firewalls go even deeper
    though.] It would depend on what the person with the PIX is trying to
    do with their connection; it might not present a problem at all.
    --
    So you found your solution
    What will be your last contribution?
    -- Supertramp (Fool's Overture)
    Walter Roberson, Jan 15, 2005
    #6
  7. david

    david Guest

    Walter Roberson wrote:

    > In article <zzvFd.2$hC2.1@trndny04>, david <> wrote:
    > :Seeing that I am trying to keep the cost down, the security on my
    > :clients end isn't very sensitive. Mostly website medical billing as far
    > :as bandwidth is concerned.
    >
    > I'm having a bit of trouble picturing the situation. Earlier you
    > indicated that your client had about 5 users, and is a NFP, which I
    > took to mean Not For Profit. Perhaps it is because I am not in the USA,
    > but I cannot think at the moment of why a 5-user Not For Profit would
    > have any signficant amount of website medical billing on behalf of
    > their own employees. If they are doing medical billing on behalf of
    > other people (I don't know... say a small charity-supported x-ray
    > clinic) then anywhere I can think of in the USA, very strict patient
    > information privacy regulations kick in that would require that a good
    > computer security system be put in place, possibly even requiring a
    > "certified" firewall.


    Not an issue.
    >
    > We get around the issues here by never putting patient identification
    > online, only ever writing it out the keys by hand in journals that get
    > locked away when not actively in use. If we had patient names
    > online, even just as a part of "billing", then we would fall under
    > the provincial patient data security legislation, which would be
    > fairly costly to impliment.


    also not an issue.
    >
    >
    > :I'll price out the Dlink with 8 ports. I think I'll just reconfigure the
    > :"outside" Ip on the PIX and DMZ that port with the SOHO firewall.
    >
    > That to me implies an extra layer of network address translation
    > at the SOHO firewall. That could -potentially- cause significant
    > problems, as SOHO firewalls usually do not go as deeply into packets
    > as the PIX does [some other brands of non-SOHO firewalls go even deeper
    > though.] It would depend on what the person with the PIX is trying to
    > do with their connection; it might not present a problem at all.


    The security of the PIX is strictly for the nieghbor. My client just
    needs some bandwidth for the T1. I was hoping to get information on a
    cost effective solution for bandwidth allocation.

    The SOHo is not for security over or as well as the PIX, just a tool to
    split into the line in front of the PIX. That way the configuration on
    the PIX should only need minor tweaking.

    I appreciate your feedback.

    Dave
    david, Jan 16, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. RZ

    Isolating office suites

    RZ, Feb 4, 2004, in forum: Cisco
    Replies:
    2
    Views:
    375
    Hansang Bae
    Feb 5, 2004
  2. Silverstrand
    Replies:
    0
    Views:
    868
    Silverstrand
    Apr 21, 2006
  3. Silverstrand
    Replies:
    0
    Views:
    648
    Silverstrand
    Aug 15, 2006
  4. Karl Engel

    Isolating a networked computer from the internet

    Karl Engel, Apr 26, 2009, in forum: Computer Support
    Replies:
    5
    Views:
    470
    Whiskers
    Apr 26, 2009
  5. Paul Ciszek

    Questions about isolating green channel in RAW data

    Paul Ciszek, Jun 3, 2013, in forum: Digital Photography
    Replies:
    21
    Views:
    335
    Wolfgang Weisselberg
    Jun 9, 2013
Loading...

Share This Page