class familiarity with corporate firewalls? differs from home based --more detailed customization and features - must configure both interfaces --better tech support (Jeff) --robustness --SECURITY - better IDS (or IP in the case of PIX) - Attack detection and prevention (also shun) --wish I had a chance to see more of these years ago --to share some details of a corporate firewall configuration --and show a few useful commands -------------------------------------------- The Cisco PIX 506E is a commercial grade fw available for $1000-$1500 depending on failover purchase or 3des upgrade purchase -------------------------------------------- PIX stands for Private Internet Exchange (I guess PIE didn't sound right) -------------------------------------------- OS - finesse -------------------------------------------- Intrusion Prevention, not just IDS -------------------------------------------- 168-bit 3DES/256-bit AES IPSec software license (Advanced Encryption Standard) -------------------------------------------- PDM - PIX Device Manager (web interface) - not stable -------------------------------------------- login sh arp setup sh ip show ip add out dhcp lease show ip add out dhcp server sh inter -------------------------------------------- sh isakmp policy - mention crypto discussion sh crypto engine verify - (FIPS)Federal Information Processing Standards sh crypto ipsec transform-set ESP - Encapsulating Security Payload - part of IPSec 3DES - encryption algorithm SHA - hash algorith (sah, saw, shaw) - combination of sec prots and algorithms first set is the ESP encryption transform set using 168 bit 3DES, second set is the authentication transform using the HMAC-variant SHA authentication algorithm. IKE - Internet Key Exchange - used to add flexibility to IPSec IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the ISAKMP framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.) ISAKMP - Internet Security Association and Key Management Protocol -------------------------------------------- sh conn detail -------------------------------------------- sh logging - mention syslog -------------------------------------------- sh dhcpd stat - pix not giving out dhcp addys -------------------------------------------- sh route -------------------------------------------- -------------------------------------------- -------------------------------------------- sh shun -------------------------------------------- sh icmp -------------------------------------------- -------------------------------------------- wr t - mention wr mem -------------------------------------------- sh tech -------------------------------------------- pat/nat/global (TACACS+) --- Terminal Access Control Access Control System, or TACACS, was first documented in RFC 927 in December of 1984 as a method of preventing double logins on certain network hosts. It has since evolved into a centralized security system for distributed computing environments with Cisco's release of TACACS+ in 1995. (AAA) (RADIUS) --- Remote Authentication Dial-In User Service LAST: OUTPUT INTERPRETER::::::::