Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco Pix Firewall Question

From: David Gillett <gillettdavid () FHDA EDU>
Date: Thu, 5 Mar 2009 09:35:51 -0800


2.       With Cisco, I believe you are talking about the Smart-Net

service.

That would be an issue if the firewall fails and they can not get support
from TAC.  If they have standby spares, this may not be an issue.  If they



also have multiple firewalls in Active/Standby configuration, they may

have

designed for failover in other way.


 Just the one firewall, which they turned on after they learned I'd be

visiting.

  In the classic version of "We have a firewall, so we're secure!", it's
still
in its box, neither plugged in nor turned on....


  A firewall needs two things on an ongoing basis:

1.  Keeping the configuration up-to-date with changes to network topology,
content and policies.  This might not require a "certified tech", but it
needs
to be part of the job description of a staffed position.

2.  Review of firewall logs to verify that legitimate traffic isn't being
blocked
and that illegitimate traffic isn't getting through.  In some organizations,
this
may be how the person responsible for #1 learns of network changes, but it
can also
serve as an audit of their work and so other organizations may prefer to
separate
these duties.  Again, *someone* needs to be doing it.

David Gillett, CISSP
Previous By Date Next
Previous By Thread Next

Current thread: