• United States

Cisco remote-office security options

Nov 03, 20033 mins

Latest Cisco news.

Cisco remote-office security options

By Ron Nutter

Network World Fusion, 11/03/03

We’re standardizing our switches, routers and firewalls on Cisco to make things easier to administer. We’re in the process of bringing up a remote office and we’re looking for the best way to do it. Some say using Access Control Lists (ACL) and/or upgrading to the firewall version of IOS for the router would be the cheapest way to protect the remote office. Others think a Cisco PIX firewall is a more secure way to go. What would you suggest?

– Via the Internet

Having your router function as a firewall and a router is a possibility, but it puts all your eggs in one basket. ACLs can help you control intrusions but they’re not as flexible as a device more suited to that purpose. Going to the firmware version of IOS for the router is a better option than just using ACLs because you can be a little more granular in how you set up the protection.

The concern I have with using a single device is that if it fails or is compromised, an outside intruder is now directly on your network.

By using two devices (a router and a firewall, or in your case, a PIX) to connect the office to the Internet, you’re adding one more layer the intruder will have to go through to get to your network. By adding a PIX, setting up a VPN connection between the remote office and your main location will be easier and will allow your staff to remotely access the distant office with Cisco’s VPN Client if they have to work on something when they’re away from the main office.

By using ACLs on a router with the non-firmware version of IOS, you can stop some brute force attacks, such as the Nachi/Welchi scans, from getting into the network.

You can also put steps in place to block source address coming from the three private reserved address ranges specified in RFC 1918 or those reserved by the Internet Assigned Numbers Authority that aren’t in use. This will keep someone from spoofing those addresses, causing your network to try to talk to a host that isn’t there. This leaves the PIX to only allow the traffic you want in and control what is allowed to go out.

For remote offices, you can go with a smaller PIX than what you have at your main office and still have the same level of firewall protection at both ends.

To read this story online, please go to: