Friday, July 3, 2009

NIpper : PIX, IOS, Juniper Firewall audit

Tool : Nipper

My Notes

\\\\\\\\\\\\\\\\\\\\\\\\CISCO IOS\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

ip access-list standard access-list-number
remark description
permit ip-address wildcard [log]

access-class access-list-number in

ip access-group ACL [in | out]

Different of access group and access class

Example ( from internet):

"A good example is that one would apply an acl to an interface using access-group...
router(config)#access-list 101 deny tcp any eq http
router(config)#access-list 101 permit ip any any
router(config)#int fa0/1
router(config)#ip access-group 101 in
When applying an acl to a virtual line, like for telnet, one would apply it using access-class
router(config)#access-list 10 deny host
router(config)#access-list 10 permit any
router(config)#line vty 0 4
router(config-line)#access-class 10 in

\\\\\\\\\\\\\\\\\\\\\\\\ PIX \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

1. We generally put a global command on each lower security interface we want our internal users to have access to,

2. we put nat commands on the higher security interfaces, allowing users to start connections to lower security level interfaces with global commands on them.

3. If you've used NAT before, you'll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level. When NAT exists between two interfaces the command takes the form of "static (high,low) low high" . Without address translation, the format of the static command becomes different: "static (high,low) high high".

PIX1(config)# nat (inside) 1 // is subnet
PIX1(config)# global (outside) 1

\\\\\\\\\\\\\\\\\\\\\\\\\ Juniper firewall \\\\\\\\\\\\\\\\\\\\

set admin auth server "Local" //what this mean?

No comments:

Post a Comment