Security Basics mailing list archives

Re: Cisco ASA interface security levels and the state table

From: aaa () bbbb com
Date: Mon, 1 Jun 2009 19:11:55 -0600

tell us about the "best practices" you mentioned so we know what arguments you've already used.

They are still in "taco defense" mode, hard shell (at edge of network) and soft inside. Well, if they can absolutely
guarantee that ONLY stub networks connect to the backbone maybe they are "not wrong" (not necessarily right, just not
completely wrong). But the chances of that being "written guarantee, send me to jail" true are slim these days. Just
one laptop with wireless active could open up the whole backbone and therefore the whole company.

One of the points I would make is that no matter how good the perimeter is, these days it is a good idea to separate
segments of the internal network, treating them the same as external perimeters.

Here are some links that you might find relevant:
10 (+1) ways your network is like your front door - http://blogs.techrepublic.com.com/security/?p=274

http://downloads.techrepublic.com.com/abstract.aspx?kw=10+ways+to+secure+borderless+networks&docid=321355 - 10 ways to
secure borderless networks

http://www.clearswift.com/knowledge-and-insight/resources/white-papers/15-common-mistakes-in-email-security - you might
find 1 or 2 points here

http://www.webbuyersguide.com/resource/resourceDetails.aspx?id=1864&sitename=webbuyersguide&kc=contmod&src=contmod -
Best practices for Enterprise network security, Vernier Networks. I think you will find some useful points in here.

http://cc.realtimepublishers.com/DGSIP.php - Definitive guide to security inside the perimeter. 213 pages. Bound to
be something in here you can use. Check out other offerings on the site, LOTS of great content.

http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1093527,00.html - Firewall Learning Guide. Lots of
links for you to investigate there. Check out the rest of the site too.

http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci1193570,00.html - Information Security Learning
guides. You have to register here, but there is also lots of content you would find useful

www.opengroup.org/jericho/presentations/fall2007/blum.pdf - rethinking security architecture in light of
de-perimeterization

http://www.opengroup.org/jericho/presentations.htm - Jericho Forum - their discussions of "de-perimeterization" should
have useful points for you

HTH
Ron

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Cisco ASA interface security levels and the state table swim_or_die (Jun 01)
- Re: Cisco ASA interface security levels and the state table Laurens Vets (Jun 01)
  - Re: Cisco ASA interface security levels and the state table Soumen Paul (Jun 02)
- <Possible follow-ups>
- Re: Re: Cisco ASA interface security levels and the state table swim_or_die (Jun 02)
- Re: Cisco ASA interface security levels and the state table aaa (Jun 02)