Educause Security Discussion mailing list archives

Re: Cisco Pix Firewall Question

From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Thu, 5 Mar 2009 11:37:41 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel,
        Your concerns are definitely valid, since there is a big difference
between the existence of a control and the effectiveness of a control.
Just having a firewall is not enough, it must be properly configured ;).
        One easy thing to try, would be to go outside of the firewall and try
to connect to some internal services that should be blocked by the
firewall.  If you can't get to them outside of the firewall but you can
get to them from inside the firewall, that is at least a basic
validation that the firewall is doing something.
        Another easy thing to do would be to run your config through Nipper,
which does some basic analysis and best practices checks:

http://www.zimbio.com/Cisco+Systems+Inc./articles/562/How+Parse+Firewall+Configs+Nipper

- -Adam

Sarazen, Daniel wrote:

Hi All,



I have a department running a Novell 6.5 network protected by a Cisco
Pix Firewall.



The Department:



*       Does not have a certified Firewall Tech to review the rule set

*       Has not signed up for an Upgrade Service for the firewall

*       Does not have a Deny Default on the firewall

*       Has no IDS



My firewall knowledge is limited, but does anyone else see red-flags
here and, given the limited amount of information I've provided, do you
have any recommendations for the department?



Many Thanks,





:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>


- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmwKgUACgkQT0QSLt7kiaATDgCfft81KFE2HuphULAc+rP3Wmf9
N70Ani67q/fvtcEGLsHcFMLqA2n8Q9Fl
=CrAP
-----END PGP SIGNATURE-----

Current thread:

Re: Cisco Pix Firewall Question, (continued)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Willis Marti (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Brown, Alexander (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question King, Ronald A. (Mar 05)
- Re: Cisco Pix Firewall Question David Gillett (Mar 05)
- Re: Cisco Pix Firewall Question Chuck McCants (Mar 05)
- Re: Cisco Pix Firewall Question Adam Carlson (Mar 05)
- Re: Cisco Pix Firewall Question Jeff Kell (Mar 05)
- Re: Cisco Pix Firewall Question Warner, David F (Mar 05)
- Re: Cisco Pix Firewall Question Jim Dillon (Mar 06)