Educause Security Discussion mailing list archives
Re: Cisco Pix Firewall Question
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Thu, 5 Mar 2009 11:37:41 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel, Your concerns are definitely valid, since there is a big difference between the existence of a control and the effectiveness of a control. Just having a firewall is not enough, it must be properly configured ;). One easy thing to try, would be to go outside of the firewall and try to connect to some internal services that should be blocked by the firewall. If you can't get to them outside of the firewall but you can get to them from inside the firewall, that is at least a basic validation that the firewall is doing something. Another easy thing to do would be to run your config through Nipper, which does some basic analysis and best practices checks: http://www.zimbio.com/Cisco+Systems+Inc./articles/562/How+Parse+Firewall+Configs+Nipper - -Adam Sarazen, Daniel wrote:
Hi All, I have a department running a Novell 6.5 network protected by a Cisco Pix Firewall. The Department: * Does not have a certified Firewall Tech to review the rule set * Has not signed up for an Upgrade Service for the firewall * Does not have a Deny Default on the firewall * Has no IDS My firewall knowledge is limited, but does anyone else see red-flags here and, given the limited amount of information I've provided, do you have any recommendations for the department? Many Thanks, :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>
- -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmwKgUACgkQT0QSLt7kiaATDgCfft81KFE2HuphULAc+rP3Wmf9 N70Ani67q/fvtcEGLsHcFMLqA2n8Q9Fl =CrAP -----END PGP SIGNATURE-----
Current thread:
- Re: Cisco Pix Firewall Question, (continued)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Willis Marti (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Brown, Alexander (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question King, Ronald A. (Mar 05)
- Re: Cisco Pix Firewall Question David Gillett (Mar 05)
- Re: Cisco Pix Firewall Question Chuck McCants (Mar 05)
- Re: Cisco Pix Firewall Question Adam Carlson (Mar 05)
- Re: Cisco Pix Firewall Question Jeff Kell (Mar 05)
- Re: Cisco Pix Firewall Question Warner, David F (Mar 05)
- Re: Cisco Pix Firewall Question Jim Dillon (Mar 06)