How to Secure Your Small Business with a PIX Firewall

One of the more popular firewall products for the small business market is the Cisco PIX 501. Out of the box it requires just a few configuration entries and you are up and running.

In this guide, we will walk through the steps for configuring your brand new pix at the network edge.

This guide is written for the user who has no knowledge of the PIX firewall. As such, it is not a treatise on network security, but a quick, by-the numbers guide to configuring a PIX firewall with as little jargon as possible.

We are assuming that you have an internet connection with at least one static IP address. While the PIX can easily handle a dynamic IP address (that is the default configuration), you won't be able to easily configure remote access, VPNs, Mail, or web servers without a static IP address.

Your PIX should have come with an AC adapter, a yellow CAT 5 cable, an orange CAT5 cable and a flat, (typically) baby blue cable with a 9-pin serial connector on one end and an RJ-45 plug on the other.

The yellow CAT5 cable is a standard Ethernet cable and is used to connect your pc or server to the 4-port Ethernet switch built into the PIX. The Orange CAT5 cable is a cross-over cable and may be required to connect the outside interface of the PIX to your ISP's router (if your PC's or workstations are plugged into a Cisco switch inside the network, you will also require a cross-over cable for connecting to one of the switch ports on the PIX).

What we are going to use for our configuration is the baby blue rollover cable. Insert the serial jack into one of the serial ports on the back of the PC or laptop you will be using to configure the PIX. Then, insert the RJ-45 plug into the port on the back of the PIX labeled "console."

Windows has a built in application that is used for (among other things) configuring serial devices. Using the start menu, go to Start > Programs > Accessories > Communications > Hyper Terminal.

Choose the Hyper Terminal application. You may get a dialog box asking if you'd like to make Hyper Terminal your default telnet application. Unless you have a preference, go ahead and choose yes.

Then you will be asked for the area code from which you are dialing, although it isn't applicable here, the program still wants to know, so fill it in and click 'next' or 'ok.'

You can call the connection anything you'd like; in this example we'll use PIX. Click 'ok' to move on.

Next, we'll be asked to enter the details for the phone number we'd like to dial. Since we aren't dialing a phone number, use the drop-down selector at the bottom of the box to choose COM1 or COM2 (whichever is applicable). If you have no idea which one is which, you may need to try it both ways.

Now, you will be expected to tell the application some specifics about the port settings so that it can effectively communicate with the PIX.

Luckily, it isn't too complex, just remember 9600, 8, none, and 1. Enter these settings into the drop down selectors of the box on your screen.

Now we are ready to set up the PIX. Insert the power cable and you will be greeted with the startup monologue (it's not a dialog in this case; it's just informing you of what is occurring).

Then, you will be greeted with a screen that asks if you'd like to program the PIX using interactive prompts. For the purpose of this exercise, type no and click 'enter'.

You will now get a prompt that looks like this: 

pixfirewall> 

Type the word 'enable' (no quotes), when prompted for the password, just click 'enter' as the default is no password.

The prompt has changed to a hash mark: 

Pixfirewall# 

Type the phrase 'configure terminal' (no quotes); you are telling the PIX that you want to enter the global configuration mode and you will be doing your configuration via the terminal window.

Your prompt will now look like this: 

pixfirewall(config)#

The first thing we want to do is give your pix a host name. The PIX command syntax is: 

Variable name

Thus, to set the hostname we will enter: 

pixfirewall(config)# hostname mypix

Now, the domain name; it's alright if you don't have a domain set up on your network, you can call it whatever you like. However, give some thought to whether a domain might be a possibility at some point and plan your naming scheme appropriately. 

pixfirewall(config)# domain-name mydomain.com

As you can see from the configuration above, the ethernet0 interface is the outside interface, with a security setting of 0, while ethernet1 is the inside interface with a security setting of 100. Additionally, you can see that the interfaces are shutdown. All we need do to bring them up is enter the speed at which they should operate. As they are Ethernet interfaces, any software version after 6.3(3) will take 100full, prior to that, use 10full.

pixfirewall(config)# interface ethernet0 100full 

pixfirewall(config)# lnterface ethernet1 100full

Now to assign an address to the inside and outside interfaces; the ip address command sets the ip address of an interface. The syntax is as follows: 

Ip address

An example might be as follows: 

Ip address outside 

pixfirewall(config)# ip address outside 12.25.241.2 255.255.255.252 (this IP address, netmask combination should not be used, it is shown here for example only. Use the IP address/mask given to you by your ISP).

Then the inside IP address 

ip address inside 

pixfirewall(config)# Ip address inside 192.168.0.1 255.255.255.0

A brief word about IP addressing is in order here.

One way that is used to conserve public IP addresses is through the use of non-routable IP addressing blocks specified in RFC 1597. You may sometimes hear them referred to as "private" IP addresses, which is fine, but not quite technically accurate. There are three different blocks to choose from: 

10.0.0.0 - 10.255.255.255 with a netmask of 255.0.0.0 

172.16.0.0 - 172.31.255.255 with a netmask of 255.255.0.0 

192.168.0.0 - 192.168.255.255 with a netmask of 255.255.255.0

as long as your internal network's IP addresses are all within one of those blocks of address space, you will not need to introduce the complexity of routing within your LAN. An example scheme for those who are not familiar is shown below: 

PIX - 192.168.0.1 netmask 255.255.255.0 

File/DHCP server - 192.168.0.2 netmask 255.255.255.0 

Workstations - 192.168.0.10 - 192.168.0.254 netmask (each) 255.255.255.0 

* I intentionally skipped over the 192.168.0.3-9 addresses to plan for future expansion and the possible need for additional servers, you don't have to do this. 

* Configure your DHCP server to hand out addresses in the specified block using your ISP-provided DNS servers for name resolution. Make sure to change this should you ever decide to install a name server within your own network. 

* If you don't want to set up a DHCP server, just configure each PC with the IP address, default gateway, netmask & DNS servers

It is very important now to add a default route to the PIX configuration. Another term for default route is the "default gateway." You need to tell the PIX that if it receives traffic destined for a network that isn't directly connected, it should send it to the connected ISP router. Your ISP should have given you the IP address of your default gateway when you received your setup information.

Here is the syntax: 

Route 

The English translation is "if packets destined for interface on the network specified by network address are bounded by mask then route it via a next hop at the optional command is used to give an indication of distance.

For example 

pixfirewall(config)# Route outside 0 0 1 

(if packets are destined outside the network to any ip address with any netmask, send them through the ISPs default gateway, which is one hop away, meaning it is the device to which the PIX is connected on the outside interface).

To password protect your PIX in order to prevent unauthorized access, use something that is secure and hard to guess. Try to stay away from the names of spouses, children, pets, birthdays or other easily guessed variable. Whenever possible, use a combination of letters and numbers. The syntax is as follows (but please don't use cisco as your actual password) 

pixfirewall(config)# Passwd cisco (note the abbreviated spelling of the word password) this will set a password for basic access (rembember the pixfirewall> prompt?) 

pixfirewall(config)# Enable password cisco this will set the password for administrative access

Now that your PIX has been given a basic configuration, you should be able to access the internet, while preventing unauthorized access to your resources.

Ron Jones is the Founder and President of The Fulcrum Technology Group, Inc. www.fulcrumtechnologygroup.com [http://www.fulcrumtechnologygroup.com] Located just North of Atlanta, this consulting firm specializes in business technology solutions that will enable you to maintain a competitive advantage by increasing productivity, improving reliability and reducing expenses.

What Is Wardriving And How Can You Prevent It

Imagine a car equipped with nothing more than a laptop computer, a portable GPS receiver, and a wireless network card slowly strolls through your neighborhood. Unknown to any onlookers, this is no ordinary vehicle; rather, it is a wardriving machine. As the car strolls past homes and businesses, a wireless network card (available at any electronics store for as low as $25) scans for any wireless access points. Anyone with a wireless network (and there are many out there) is vulnerable. The computer is looking for what is called an SSID. An SSID is your wireless network name and it is being constantly transmitted by your access point, letting computers know of its presence. The wardriver uses software such as Netstumbler (for windows) or Cismet (for linux) to scan the airwaves for SSIDs. The program can track various access points at once and monitor the signal strength. These programs can also check to see if the network is encrypted. The wardriver will generally configure his or her software to log any strong unencrypted signals. Using the GPS receiver, the coordinates of the strong signal will be recorded. After this preliminary drive, the wardriver can return to the locations that were recorded, and connect to the access point. Once connected to an unencrypted network, the wardriver can use the victim's internet access, and can also explore computers on the network. If files are being shared within someone's private network, all of that information is susceptible to a wardriver. Furthermore, once in the network, a wardriver can sniff network traffic and can view any information such as passwords and credit card numbers you send out to the internet - even SSL secured data. Wireless network vulnerability is a major problem, and as more and more households purchase wireless technology, the problem of insecure networks increases. Sound scary? Well this happens every day, and it doesn't take an expert to pull off. It doesn't take an expert to protect against either, however.

Steps you can take to protect against wardrivers:

There are a number of very simple steps you can take to protect your wireless network. For many of these, you will have to access your router configuration utility (check your manual on how to do this, you will generally need to type an IP address into your browser such as 192.168.0.1 or 192.168.1.1).

Don't broadcast your SSID. If you are broadcasting your SSID, this is the first thing a program will pickup and recognize. If you configure your router to not broadcast your SSID, it will be difficult to detect (but not impossible, for some software can sniff wireless communication, so if you are using your wireless network, the SSID can be revealed). If you are not broadcasting your SSID, but it can be guessed (such as if you are using a default SSID), cloaking is pointless. Due to this, remember to change your SSID from the factory default. This is not a 100 percent effective method to secure your network, but it is a good first line of defense.

Change the default password. When you buy a router, a factory password is stored. People experienced in working with routers know the default passwords for different routers (and the make of the router can be seen by wardriver software such as netstumbler). It is important that you secure your router with a good password.

Encrypt your wireless communication. I can't stress the importance of encrypting your wireless communication enough. Enable encryption and enter a key. Most routers are only capable of WEP encryption, but if they permit, use EAP encryption, it's more secure than WEP. Like cloaking your SSID, encryption is not 100 percent secure. Given enough time and determination, if someone wants to target you and access your network, WEP encryption can be bypassed using software such as AirSnort.

Filter the MAC addresses that are allowed to connect to your router. This would require that you enter your router configuration and input the MAC address of each wireless card you have. This will restrict access so that only your computers can connect to the router. You will need to obtain the MAC address (which is the individual identification address of a network card in the form a 12 digit hexadecimal number). If someone sniffs traffic and detects the MAC address of a computer wirelessly using your network, the wardriver could emulate that address and connect to the router, but this takes time.

If you configure file sharing on your computers, make sure it is password protected. You should not share files on your networked computers unless it requires an authenticated user to access. Set up the same user accounts on your machines so that your computers can share files.

With these relatively simple steps, wireless network users can secure their networks from wardrivers. Wireless networks are inherently insecure, and these tips will merely help you greater secure your network. If someone is really determined to gain access to your network, given enough time, a good hacker can get access. These tips will deter the average wardriver from gaining access to your network, however. Although these methods are not definite security measures, they will change your network from being something that can be hacked in a matter of seconds, to something that will take a determined hacker days if not weeks of work, all of which will have to be done while in close proximity to your network.

The author is a network security veteran, and CEO of Andertec Enterprises http://www.andertec.com, which specializes in onsite custom computer services for the Los Angeles area. Andertec also sells custom made-to-order computer systems, and has a line of revolutionary products at incredibly low prices including the best-selling CyberHome Complete home automation package.

AIM and a Half - Give your AIM a Little More

Buttons, ads, big long menus, pictures are everywhere and they’re slowing down your AOL Instant Messenger. What is there to do? Add-ons for AIM just add things to your AIM. Aliasing, tabbed IM windows, etc. But what do you do about all of those things that are slowing down your AIM? There may be a solution. 

AIM (AOL Instant Messenger) is an instant messenger program that lets you talk to people all around the world - for free. Making a free utility like this comes with some cost. AIM throws ads onto the top of your buddy list, useless buttons everywhere even though there’s already 3 ways you can get to the same place, just as easily. As each version of AIM comes out, the more your AIM is loaded with extra things like this. 

Now, there’s a new program titled AIM ½. It gets rid of ads, those buttons on the bottom of the buddy list, shortens all of the menus to only what you need. It gets rid of all of those buttons in IM windows (warning, games, etc), it gives you more practical sign-on, sign-off, and away symbols on your buddy list. It gives you the ability to resize your buddy list to ANY size. And it does little things like easier to use away message windows, profile windows, and more.

And of course, the newest feature: skinning. 

Skinning allows you to change the look of your AIM by letting you choose the theme of your sign-on screen, buddy list background, sign-on, sign-off, away symbols, and the popup notifications. Currently, there are five skinning themes available: XP, Beach, Everyone Loves Raymond, and Music. You can change your theme with the click of a button in your buddy list menu or on the AIM ½ site. 

 To prove the effectiveness of AIM ½, I put it to a test. I downloaded the original aimres.dll for 5.5.3595. I timed how long it took for AIM to load up after I double clicked the AIM button. It took 10 seconds until it was fully ready for use on my COX High Speed connection. Then I downloaded AIM ½. It took (no joke) 2 ½ seconds. A little difference? That little difference also effects how long it will take for IM windows to load after you double click them, and everything you do on AIM and the internet while your instant messenger is open. 

AIM ½ is a FREE tool to help give your AIM what it was meant to have. There is NO spy ware, ad ware, or 3rd party applications bundled with AIM ½. Guaranteed. Give your AIM a little more. Give it AIM ½. www.aimeasy.tk [http://www.aimeasy.tk]