Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls that generate new packets..

From: <lordchariot () embarqmail com>
Date: Thu, 29 Nov 2007 12:06:34 -0500
I think this came out yesterday. Amongst other recommendations are these
snippets.

SANS Top-20 2007 Security Risks (2007 Annual Update)
   http://www.sans.org/top20/

<...snip...>
Z1.4. How to Protect against the vulnerabilities

Protecting against zero day vulnerability exploitation is a matter of great
concern for most system administrators. To reduce the impact of a zero day
attack, follow best business practices such as:

* Adopt a deny-all stance on firewalls and perimeter devices that protect
internal networks 
* Separate public-facing servers from internal systems
<...snip...>


Sigh. Do you think anyone will start listening yet?


Patrick M. Hausen wrote:

E.g. does PIX still have these implied rules that say: if I
configure port X from here to there, this automatically implies
the same access to all interfaces with a lower security level than
'there'? This is the case in 6.x - now, whoever at Cisco came
up with this concept should be shot.

I have not looked at 7.x or ASA, yet.


Patrick, I've been wondering the same thing. I have customers with ASA and
they still seem to have an allow-all default (judging from the number of
them I've run across that are actively botted.)
I would like to confirm if the ASA still has the default allow-all outbound
policy.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: