Monday, March 27, 2006

Guide to Installing a Cisco PIX 501 Firewall

Setup, configuration, and additional resources for securing your PC

A firewall acts as a security guard, standing watch over data as it travels in and out of your network. Yet unlike a security guard, it doesn't rely on magic passwords or secret keystrokes to determine whether to accept or deny data. Instead, it refers to a set of rules in order to determine what is allowed to pass. While a properly configured firewall can keep unauthorized users out, an improperly configured one can halt both incoming and outgoing network traffic.

Both hardware and software firewalls are effective ways to safeguard your network, but we will focus here on setting up the Cisco PIX 501 firewall, available from TechSoup Stock.

This guide will explain what makes a PIX 501 firewall different, and describe its basic configuration. It also includes helpful Cisco links, a glossary, and resources for networking with other TechSoup users and consultants.

First Thing's First: What the Heck is a Firewall?

A firewall is hardware or software that blocks communications forbidden by security policy in a networked environment. A firewall's packet filtering rules permit or deny certain users from sending or receiving certain types of information. Packet filters have no idea what type of traffic is running on those ports, only what ports and IP numbers that traffic is going to or coming from.

A special breed, the PIX firewall is more intelligent than your average packet filter. Its stateful inspection takes the TCP state of Internet traffic into consideration and allows it back in if it originated within the network. Cisco's PIX also offers additional protocol options to make sure that incoming and outgoing protocols are legitimate.

Basic Configuration

Before setting up your firewall, check to make sure that it came with the following:
  • A beige PC terminal adapter
  • A blue console cable
  • A yellow straight-through cable
  • An orange crossover cable
  • A power supply
  • A power cable
  • Documentation
  • Installation software
  • Your PIX firewall
First, connect the power cable and turn on your PIX. Once you see the LEDs light up, it's time to move onto configuration. While the PIX is similar in function to a home firewall, its configuration is a bit more involved. You can’t just unwrap it, plug it in, and expect it to work.

Setup isn't very intuitive, so check your configuration with this Cisco documentation (PDF) . (Go to Section 3, "Connect the Cables.")

Graphical Setup

There are two options for setup: console and graphical. If you want to go with a graphical setup, you'll find the PIX Device Manager -- an HTML configuration application -- bundled with PIX.

To get started with the graphical setup, point any Java-enabled browser at your internal IP address, better known as https://172.16.0.1. (Be sure to use "https" instead of "http" or the connection will fail.)

After you've entered your IP, the browser window will open, and you'll see a gray box, which is the PDM start screen. Go to the System Properties tab, expand Logging in the tree view, and select Logging Setup. Check the Enable Logging box and select Syslog in the tree view. If you've just installed PIX, then you won't see a configured server in the list by default.

To add a server, hit the Add button and start entering data into the dialog that appears. Because your syslog server is typically located on your network, select Inside from the Interface dropdown list.

Move onto the Protocol section where you'll find two radio buttons. Select UDP as the protocol. The next data entry area is port value: put "514" as the default and the standard.

Once you've configured PIX's syslog settings, click OK to get back to the main screen. At this point, your configuration hasn't been saved. To do this, hit Apply to PIX and wait. This may take awhile, depending on your configuration.

You'll also need to get those settings onto the firewall by hitting the Save to Flash Needed button on the top of the screen. If you fail to take this step, PIX may not forward syslog messages, or stop forwarding them after a reboot. Once everything has been saved, a dialog box reading "Configuration saved to flash memory" will appear.

You should now be receiving syslog messages on your confirmed syslog server. At this point, close PDM. (You can always return to it later if you need to make adjustments.)

Before changing or modifying anything, make sure you know what you're doing, as inputting the wrong data or port can disrupt your network's traffic. Full documentation on configuring your PIX with the graphical installer can be found on MonitorWare.
Console Setup

Those who are more comfortable using the terminal can set up PIX using a terminal emulation program to talk to the PIX on a console port. (For instructions, check out TechSoup's article A Guide to Installing a Cisco PIX 501 Firewall: Advanced Setup .)
I Need Help!

Cisco provides excellent technical documentation, so if you’re not quite sure where to start, visit one of these links for help:
Defining Network Terms

Sometimes computer terms can sound a bit like gibberish. Read our glossary of important terms you may come across as you configure your firewall.

Static NAT: Also known as "one-to-one" NAT. For every one public IP, there is one private IP statically mapped to it. An organization that has exactly one public IP addresses for everyone computer could use this sort of scheme. By statically NAT-ting computers on a firewall, a network administrator could filter out certain types of inbound traffic.

Dynamic NAT: Also known as "many-to-many" NAT. Statically NAT-ting all of the IPs in your organization is not practical, as public IPs are not always very easy to get. A range of IP addresses is shared between lots of private IP addresses. If someone is surfing the Web only, there's absolutely no need for them to have their own dedicated IP address.

Overloading: Also known as Port Address Translation (PAT), "NAT overloading," or "many-to-one" NAT. Overloading describes what we did in our basic configuration example. It is used when there is only one IP address to share with many people. The unique source port determines which internal (private) IP address gets the return traffic.

Overlapping: Used when your public IP addresses "overlap" with the public IP addresses of another network. The router translates the address in order to avoid a potential conflict with this other network.

Help from TechSoup's Forums

Don't forget to tap your TechSoup community as a resource to help you set up your firewall. If you run into problems or want to help others, drop by TechSoup's Networks or Virus Vaccination and Computer Security forums and let us know what did and didn’t work for you.

Before you post, please make sure that you strip out any important identifying information (such as your public IP address). Post your configuration and a general description of your network layout and what you’re trying to accomplish and one of our moderators or forum members will do their best to point you in the right direction.

Finally, remember: While installing a hardware firewall is one of the best things you can do to secure your network from the outside, security should by no means end there. Firewalls alone cannot fully protect you from Internet threats, vengeful employees, a lack of password protection, spyware, or even viruses. Be sure to take precautions to safeguard your network from these threats, too.

Monday, March 13, 2006

USA: CompTIA says "pool of talent" in RFID technology

According to a new survey by the Computing Technology Industry Association (CompTIA), the deployment of Radio Frequency Identification (RFID) technology continues to be hampered by a shortage of individuals skilled in the technology.

The survey results were released in conjunction with the RFID World 2006 conference.

Seventy-five percent of the technology companies participating in the CompTIA survey said they do not believe there is a sufficient “pool of talent” in RFID technology to hire from. That figure is down slightly from a similar survey conducted in 2005, when 80 percent of respondents said there was a shortage of RFID talent.

Among companies that believe there is a talent shortage, 80 percent said the lack of individuals skilled in RFID will impact adoption of the technology. The figure is significantly higher than a year ago, when 53 percent of responding companies said the shortage of talent would have a negative impact on RFID adoption.

“RFID is a complex and still evolving technology, and expertise is absolutely required for its usage to be a success,” said David Sommer, vice president, electronic commerce, CompTIA. “The skill sets and “need-to-knows” related to RFID are many and varied. Clearly there is work to be done in our industry in terms of RFID education, training and professional certification.”

Sommer presented the findings of the CompTIA RFID skills survey in a presentation at RFID World 2006.

Global IT trade association CompTIA initiatives extend to areas such as convergence technologies, electronic commerce, information security, IT services, public policy, skills development, and software.

Friday, March 10, 2006

Microsoft's Google Killer? First Glance at Search Engine Beta

I tried out Microsoft's new search engine "Windows Live Search," aka www.live.com and it's a good thing they've labelled it a beta.

Touted by some as Microsoft's "Google killer," the new search engine was up and down for quite some time last night. I think I caught the developers uploading the UI because there were some really ugly versions before things started to settle down...

While the site was working, before it got overwhelmed with traffic (probably because the Drudge Report and other sites were flogging it) I did get a glimpse of the interface and had a chance to test some of the site out.

First impression: Big improvement over MSN Search. Google killer? No, not yet. But not bad either.

Beta Check

The "live.com" default interface is extremely simple (hmmm, wonder who thought of that idea?). It's after you've begun your search that the fun begins.

When a search returns results, the page mutates and, besides the the classic search text entry box (and of course, your results), a series of tabs appear that allow for more custom searching and feed harvesting.

Nothing exotic, these tabs include "web", "news", "images", "local", and "feeds."

The "web" results are very Google-like, and display returns in the now classic style: head, deck and URL. You can customise how much of this information you want with a handy little control on the right side of the interface. You can, for example, use the control (in the pop up image here you'll see it on the right side) Routine search returns were not stunning better (or worse) than Google. In fact, in my very early tests, the results from both sites were pretty close.

The strongest part of the tool, at least in my early look, is image search. I've never been totally thrilled with Google's image search tool, which requires more work then I like before I can get to the actual picture.

There are just about as many steps involved in getting to the picture in the "Windows Live" image search tool, but it feels friendlier. First, you get a bunch of thumbnails (like Google) but I liked the jazzy way the thumbnails "pop" open and give you a bit more info when you mouse over them in Windows Live Search. Click an image and the UI changes again to include the page where it originally appeared.

Your original search results thumbnails are still visible, but re-located to the left side of the page. You can grab the original picture, sans web page, with the "show image" link at the top of the frame.

I found the "local" tab somewhat amusing when I typed in the word "Audio". Not knowing what to expect, I got a U.S. map and business address matches that were heavily concentrated in South Dakota. I know not why. Since I won't be shopping in Sioux Falls this week, I added an address to the search term and things improved a bit.

The feeds tab worked well. After signing in to my Microsoft Passport account, I was easily able to add a few new feeds to "My Stuff". It was a little hard figuring out how to get back to "My Stuff" after grabbing the feed (clicking the "add to live.com" with the green cross will do it, but it's not exactly obvious), but I did like the clean display in the My Stuff area.

The site went down last night, so I couldn't try out more of its features, but it shows some promise...but then almost anything is going to be an improvement over MSN search...

We'll have a lot more on this site in the coming days, but do tell us your first impressions...Here's a pretty good backgrounder on the beta.

UPDATE: They've crudded up the live.com with promo material, news crawls, and announcements. Bleh.

Wednesday, March 08, 2006

Cisco adopts IP telephony standard

Cisco Systems plans to finally adopt a key Internet Protocol telephony standard, allowing the addition of new network-service features and enabling companies such as Microsoft to integrate their communications products with Cisco gear.

On Monday, at the VoiceCon 2006 conference in Orlando, Fla., Cisco said it will add support for session initiation protocol, or SIP, to its IP PBX software. The new version of the product, CallManager 5.0, will include SIP capabilities for Cisco IP phones, presence-awareness software and multimedia communications software.

SIP is used to establish contact between IP phones and to add special features--such as presence awareness, video or mobility capabilities--onto a voice over Internet Protocol (VoIP) network. The standard also makes it possible for companies deploying VoIP to mix and match the products they use, significantly lowering the cost of deploying a VoIP network.

Cisco had been the only major supplier in the market not to support SIP in its IP PBX software. Cisco sees the addition of SIP as an important step in being able to provide customers more features.

"IP telephony isn't just about toll bypass anymore," said Barry O'Sullivan, vice president of IP communications for Cisco. "It's about improving productivity and allowing people to do their jobs more effectively. And people need to be able to communicate and collaborate through the means that suits them best."

CallManager 5.0 should work with any SIP-based phone, but Cisco said specifically it plans to support a "softphone" (or PC-based phone) client for Research In Motion's BlackBerry handheld as well as Nokia's new dual-mode phones.

In addition to the upgraded CallManager, Cisco announced other new products including the Unified Presence Server, which collects status and availability data from users' devices and feeds it to Cisco applications, and the Unified Personal Communicator, which allows users to see on their PCs or IP phones who is online.

As part of the announcement this week, Cisco said it is working with Microsoft to integrate its Office Communicator 2005 and Office Live Communications with Cisco's Unified Communications System. The integration means that users can launch a VoIP conversation directly from their Microsoft Outlook client. The interoperable package should be available in August 2006, the companies said.

Monday, March 06, 2006

Google Leaks Details of Unlimited Storage

According to a Google presentation, the company is optimistic about unlimited storage capacities

Ever since Google released its highly acclaimed GMail service, many users have found interesting ways to make the most of the available space provided by Google. While other free email services battle over megabytes of free space, Google currently leads all other services by the gigabytes. Using 3rd party utilities, it is possible to map your GMail account as a psuedo-drive in Windows and use the account as a drag-and-drop file system. With these tools, some users have even sent themselves invites to chain together accounts for an effectively unlimited amount of network storage space.

According to reports however, sometime in the near future this activity may no longer be limited to 3rd party utilities. On Google's analyst day, a document presented contained information about a possible service called GDrive. The details in the presentation indicate that Google's long term goal is to provide a service to users that give unlimited amounts of storage space so that any type of file can be uploaded and stored. The presentation even indicates the service may be built to allow users access to their files from any device, and any location. The Google presentation, before it was editted and removed by Google, read (emphasis ours):

Theme 2: Store 100% of User Data
With infinite storage, we can house all user files, including: emails, web history, pictures, bookmarks, etc and make it accessible from anywhere (any device, any platform, etc). We already have efforts in this direction in terms of GDrive, GDS, Lighthouse, but all of them face bandwidth and storage constraints today.

Naturally, privacy concerns are rising with regards to Google's goals of collecting information. In the presentation, Google even indicates that it plans to collect "all" of the world's information, not just some of it. In this regard, it could be possible for Google to provide high-level services for government bodies that wish to collect information in a manner that would otherwise be too difficult without Google's search spiders.

No information on whether or not Google also plans to offer these types of storage services for fee-based subscriptions, though Garett Rogers from ZDNet hypothesizes:

In some screenshots of Gmail for domains, it appears there are different "account plans" that I assume provide additional email addresses. Could a similar system work for online storage? For example, 1GB free and pay $5 for each additional.