Secure network question???

Discussion in 'Cisco' started by clubfoot, Apr 9, 2006.

  1. clubfoot

    clubfoot Guest

    Hi all. I own a shipping store and we have one computer that we rent
    computer time on with web access, 2 point-of-sale and 1 accounting system.
    The franchise co. office has just informed us that they have a new "high
    security router" programed for thighter security than the simple off the
    shelf D-Link that they used to provide us with. The new router is a D-Link
    "advanced security and firewall" programed by a "network security guru." I
    think I can do a better job with a Cisco system. I got my CCNA 5 years ago
    and know a little (just enough to pass the old CCNA exam) about cisco
    routers and switches. I would like to program a 2620 with a 2924 or 2912 to
    get greater security and provide 3 VLANs for my network. The rental computer
    is connected via network to our copy machine and I would like to keep them
    separate from our point-of-sale systems and that all separate from our back
    room accounting system. The "guru's" won't tell me anything about how they
    programed the new router, I guess that would hurt there bottom line. I don't
    have enough to get a PIX so I would like to do what I can in the 2620 and
    the switch. My question is this, what would be my best plan of attack? I'm
    thinking about creating a large ACL to block any ports that I won't need,
    however, I don't yet know what ports that would be. I ship UPS, FedEx, DHL
    and US Postal and I still have to allow for common access from the rental
    computer, and know that some of these shipers use some strange ports that
    there software uses - I'm still trying to find out what those ports are. Oh,
    plus we are going to on-line credit card processing and will be adding
    on-line system backups. Would an ACL blocking ports and some known nasty IP
    ranges be a sufficient enogh way to provide security better than a
    piece-O-$H1T D-Link and keep a virus or hack-attack on one system from
    getting to the others? And, if so, does anyone know what ports UPS, FedEx,
    DHL, US Postal, online credit card processing and common computer rental
    ports are used so I can allow them in the ACL? Also, if it makes any
    difference, we are using ISDN-BRI, yes I know I'm almost the last person on
    earth to use BRI but I can't get anything else in this brand new
    development, so I have to figure out how to program that also.
    Thanks in advance for any help you can give me!
    Chris
     
    clubfoot, Apr 9, 2006
    #1
    1. Advertising

  2. clubfoot

    thrill5 Guest

    Securing a network is very complicated business, and using ACL's instead of
    a firewall is not a very good idea unless you are very well versed in
    security and have a sound knowledge of reflexive ACL's. A router is not a
    firewall, and so configuring one to be a firewall is like trying to fit a
    square peg in a round hole. Yes you can do it, but not the right tool for
    the job. A PIX is a firewall and so it is can be easily configured to work
    as one., and consequently a PIX is not a router, so you would not use one to
    do the function of a router. I would leave the security to the "guru".

    Scott
    "clubfoot" <> wrote in message
    news:4438b94b$...
    > Hi all. I own a shipping store and we have one computer that we rent
    > computer time on with web access, 2 point-of-sale and 1 accounting system.
    > The franchise co. office has just informed us that they have a new "high
    > security router" programed for thighter security than the simple off the
    > shelf D-Link that they used to provide us with. The new router is a D-Link
    > "advanced security and firewall" programed by a "network security guru." I
    > think I can do a better job with a Cisco system. I got my CCNA 5 years ago
    > and know a little (just enough to pass the old CCNA exam) about cisco
    > routers and switches. I would like to program a 2620 with a 2924 or 2912
    > to get greater security and provide 3 VLANs for my network. The rental
    > computer is connected via network to our copy machine and I would like to
    > keep them separate from our point-of-sale systems and that all separate
    > from our back room accounting system. The "guru's" won't tell me anything
    > about how they programed the new router, I guess that would hurt there
    > bottom line. I don't have enough to get a PIX so I would like to do what I
    > can in the 2620 and the switch. My question is this, what would be my best
    > plan of attack? I'm thinking about creating a large ACL to block any ports
    > that I won't need, however, I don't yet know what ports that would be. I
    > ship UPS, FedEx, DHL and US Postal and I still have to allow for common
    > access from the rental computer, and know that some of these shipers use
    > some strange ports that there software uses - I'm still trying to find out
    > what those ports are. Oh, plus we are going to on-line credit card
    > processing and will be adding on-line system backups. Would an ACL
    > blocking ports and some known nasty IP ranges be a sufficient enogh way to
    > provide security better than a piece-O-$H1T D-Link and keep a virus or
    > hack-attack on one system from getting to the others? And, if so, does
    > anyone know what ports UPS, FedEx, DHL, US Postal, online credit card
    > processing and common computer rental ports are used so I can allow them
    > in the ACL? Also, if it makes any difference, we are using ISDN-BRI, yes I
    > know I'm almost the last person on earth to use BRI but I can't get
    > anything else in this brand new development, so I have to figure out how
    > to program that also.
    > Thanks in advance for any help you can give me!
    > Chris
    >
     
    thrill5, Apr 10, 2006
    #2
    1. Advertising

  3. clubfoot

    clubfoot Guest

    Thank you Scott for your answer. I did a little checking on ebay and found
    that a PIX 501 is something that I can afford, Sorry, I was thinking back a
    few years ago when a PIX 515 was in the thousands of dollars range used and
    never heard of a 501 (limited exposure to some cisco products not installed
    in my department). I will add it to my 2620 and also get a managed switch
    (2912,26,24) so I can do the VLAN plan. I just heard of a local store who
    got the new improved D-Link router/firewall and will try to get him to let
    me look at the config. and program my store with that same info.. Although,
    I still have to program it all and I have never touched a PIX before or
    programed a Cisco router for B-ISDN so you will still hear from me in the
    next few months. In your reply you talked about ""reflexive" ACL's", I don't
    remember reading about them, old CCNA exam just concentrated on
    basic/extended ACL's, is this something I should study up on or is it
    something that the PIX will take care of for me or do I even need to worry
    about them? Forgive me for sounding ignorant but, since I left the
    data/teleco. world a couple of years ago, I seldom get a chance to talk
    tech. and a lot fades and times have changed quickly - kind of miss it.
    Kind of makes me think, experience dosen't last long in this industry!
    Chris

    "thrill5" <> wrote in message
    news:D...
    > Securing a network is very complicated business, and using ACL's instead
    > of a firewall is not a very good idea unless you are very well versed in
    > security and have a sound knowledge of reflexive ACL's. A router is not a
    > firewall, and so configuring one to be a firewall is like trying to fit a
    > square peg in a round hole. Yes you can do it, but not the right tool for
    > the job. A PIX is a firewall and so it is can be easily configured to
    > work as one., and consequently a PIX is not a router, so you would not use
    > one to do the function of a router. I would leave the security to the
    > "guru".
    >
    > Scott
    > "clubfoot" <> wrote in message
    > news:4438b94b$...
    >> Hi all. I own a shipping store and we have one computer that we rent
    >> computer time on with web access, 2 point-of-sale and 1 accounting
    >> system. The franchise co. office has just informed us that they have a
    >> new "high security router" programed for thighter security than the
    >> simple off the shelf D-Link that they used to provide us with. The new
    >> router is a D-Link "advanced security and firewall" programed by a
    >> "network security guru." I think I can do a better job with a Cisco
    >> system. I got my CCNA 5 years ago and know a little (just enough to pass
    >> the old CCNA exam) about cisco routers and switches. I would like to
    >> program a 2620 with a 2924 or 2912 to get greater security and provide 3
    >> VLANs for my network. The rental computer is connected via network to our
    >> copy machine and I would like to keep them separate from our
    >> point-of-sale systems and that all separate from our back room accounting
    >> system. The "guru's" won't tell me anything about how they programed the
    >> new router, I guess that would hurt there bottom line. I don't have
    >> enough to get a PIX so I would like to do what I can in the 2620 and the
    >> switch. My question is this, what would be my best plan of attack? I'm
    >> thinking about creating a large ACL to block any ports that I won't need,
    >> however, I don't yet know what ports that would be. I ship UPS, FedEx,
    >> DHL and US Postal and I still have to allow for common access from the
    >> rental computer, and know that some of these shipers use some strange
    >> ports that there software uses - I'm still trying to find out what those
    >> ports are. Oh, plus we are going to on-line credit card processing and
    >> will be adding on-line system backups. Would an ACL blocking ports and
    >> some known nasty IP ranges be a sufficient enogh way to provide security
    >> better than a piece-O-$H1T D-Link and keep a virus or hack-attack on one
    >> system from getting to the others? And, if so, does anyone know what
    >> ports UPS, FedEx, DHL, US Postal, online credit card processing and
    >> common computer rental ports are used so I can allow them in the ACL?
    >> Also, if it makes any difference, we are using ISDN-BRI, yes I know I'm
    >> almost the last person on earth to use BRI but I can't get anything else
    >> in this brand new development, so I have to figure out how to program
    >> that also.
    >> Thanks in advance for any help you can give me!
    >> Chris
    >>

    >
    >
     
    clubfoot, Apr 12, 2006
    #3
  4. In article <443cb57a$>,
    clubfoot <> wrote:
    >In your reply you talked about ""reflexive" ACL's", I don't
    >remember reading about them, old CCNA exam just concentrated on
    >basic/extended ACL's, is this something I should study up on or is it
    >something that the PIX will take care of for me or do I even need to worry
    >about them?


    "reflexive ACLs" is not a concept used by the PIX 501. The PIX 501
    uses "adaptive security" -- which basically means that when it
    figures out that a particular data path will be needed, it automatically
    internally temporarily adjusts the ACLs to accomedate the path
    (there isn't any way to view the adjusted ACLs.)
     
    Walter Roberson, Apr 12, 2006
    #4
  5. clubfoot

    clubfoot Guest

    So, anotherwords I can't see what path was used, say when UPS WorldShip
    updates in May. I simply have to trust that it will work OK? I guess this
    would be fine if the PIX temporarily adjusts the ACL's to accomedate paths
    initiated from software on my systems, unless it was a trojan horse or
    something like that. Forgive me if I'm starting to sound like someone who
    fits in the catagory of "a little knowledge can be dangerous" but I'm trying
    to figure out if I could secure my network myself or if I should call a guy
    I know that maintains the network for a rather large school dist. and pay
    him to set me up.
    "Walter Roberson" <> wrote in message
    news:gub%f.6265$WI1.3969@pd7tw2no...
    > In article <443cb57a$>,
    > clubfoot <> wrote:
    >>In your reply you talked about ""reflexive" ACL's", I don't
    >>remember reading about them, old CCNA exam just concentrated on
    >>basic/extended ACL's, is this something I should study up on or is it
    >>something that the PIX will take care of for me or do I even need to worry
    >>about them?

    >
    > "reflexive ACLs" is not a concept used by the PIX 501. The PIX 501
    > uses "adaptive security" -- which basically means that when it
    > figures out that a particular data path will be needed, it automatically
    > internally temporarily adjusts the ACLs to accomedate the path
    > (there isn't any way to view the adjusted ACLs.)
     
    clubfoot, Apr 13, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KerplunKuK

    Secure and non secure warnings

    KerplunKuK, Aug 24, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    557
    Blinky the Shark
    Aug 24, 2004
  2. Miss Mary
    Replies:
    1
    Views:
    1,462
    sean.archer
    Sep 21, 2007
  3. Replies:
    0
    Views:
    603
  4. Replies:
    0
    Views:
    702
  5. cade

    Secure Auditor secure your windows

    cade, Apr 28, 2008, in forum: Computer Security
    Replies:
    0
    Views:
    506
Loading...

Share This Page