Best Practices

Previous page
Table of content
Next page

This section presents some of the important methods for improving performance and avoiding a lockout situation. Following is the list of such some good practices:

  • If you are running PIX Version 6.3.4 or later, be sure to create a local user and configure a local user database as a fallback, just in case there is a communication problem between the PIX and AAA server.

  • When TACACS+ is configured with authorization for pass-through traffic, be sure not to enable accounting for all traffic. Otherwise, PIX will generate many accounting records for a single PIX Firewall.

  • When configuring cut-through proxy for HTTP(S), be sure not to set the absolute timeout to zero. This is because, for loading a single HTTP page, the browser might need to make multiple connections to the web server. If the absolute timeout is set to zero, for every request to load a single web page, you need to enter authentication information multiple times. For FTP and Telnet, this is not an issue.

  • If you have a backup RADIUS Server configured, configure dead-time for RADIUS to improve the performance.

  • If you have a web server that requires authentication in addition to cut-thru proxy authentication by the PIX firewall, always configure virtual Telnet and virtual HTTP on the PIX firewall. Additionally, virtual Telnet should be used when you need to authenticate/authorize the port that cannot be used as a service for authentication (HTTP/HTTPS/Telnet/FTP can be used as service). One such protocol is SMTP (TCP/25), so if you need SMTP authentication by the PIX firewall, you need to configure virtual Telnet.

  • Do not configure console authentication for PIX Device Manager (PDM) with a One-time Token card (for example, SDI), because when PDM starts up, it makes multiple connections to the PIX to get the configuration and other information, and for each HTTP/HTTPS connection to the PIX, the user is authenticated with the AAA server. Because the one-time password changes at certain time intervals, first one or two connections will successfully authenticate, but subsequent connection authentication will fail.


Previous page
Table of content
Next page
Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Inside Network Security Assessment: Guarding Your IT Infrastructure
Data Structures and Algorithms in Java
An Introduction to Design Patterns in C++ with Qt 4
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy