Educause Security Discussion mailing list archives
Re: Cisco Pix Firewall Question
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Fri, 6 Mar 2009 17:21:41 -0700
Daniel, Here are my thoughts, reverting back to my former internal auditor hat. The most important question/thought you did not ask, and that is: what risk does this network represent? Is that risk acceptable? (We don't know if this is an isolated internal network or something Internet facing for example.) The answer to your questions varies depending on the risk and your organization's declared policies and risk acceptance. So I'm answering assuming that industry norms are applicable and that there is likely something of a restricted, proprietary, or private nature within that network. (Industry norms would say that the network itself should be protected so as not to provide a platform for malfeasance, that's square one, but there are certainly many escalating risk scenarios to consider in answering your questions.) 1. I'm more concerned that it has someone capable to review the rule set, and that capable is defined rather than specifying it is a "certified Firewall Tech." A standard for quality and performance (which includes security as a consideration) should exist and be overt and transparent. Measurement against that standard is simply good management. 2. If there is no Upgrade Service are we to assume there is no upgrade/risk monitoring? Can the "service" be a well constructed and controlled internal process? There are arguments against some service features in general (change control primarily) that might suggest a well-executed internal upgrade process is superior. The key here is that risks are monitored and timely mitigation is executed. If you can't attest to that then you have a flag. Services usually help with the "timely" aspect, but there are exceptions. 3. There is very little argument these days regarding the basic Allow/Deny policy. Anything that does not start with Deny (least privilege) as the basis should have to justify itself, not the other way around. Others have commented on how to determine this for this platform, but lacking a clearly expressed reasoning for exceptions to "deny" I would always question an "allow any" stance. 4. IDS isn't necessary if "I" is acceptable! Assuming "I" isn't acceptable, it generally isn't, then IDS strength becomes a matter of risk and exposure. There are compensating controls and procedures that can mitigate the need for an IDS, but IDS seems to be a reasonable expectation these days. If it isn't, you have to question the value and contribution of the network in relation to institutional objectives to begin with. Preventative controls are always more desirable than detective controls, and a failure to provide either can easily be justified as irresponsible to the networked community at a minimum. (That includes all of us by the way!) So your questions leave me with many additional questions, but here are a couple of thoughts to ponder. 1. Does your institution have a policy or standard regarding risk assessment to begin with? 2. Do you have a data classification standard? 3. Are there security/custodial/stewardship responsibilities clearly stated in policy? 4. Is it clear what threats apply to the content within this network? And so on... Evaluation of this department should be subject to these and other such things. If you lack institutional policy sufficient to define an overt and transparent answer, then you have bigger problems than this firewall. The only good way to proceed lacking that sort of institutional maturity is to pick an authoritative standard (NIST, ISO, etc.), and present the situation in light of that standard. That should provide a basis for discussing security needs and creating the standards whereby judging this firewall and its effectiveness become apparent. It is entirely possible to isolate and control access and user behavior in such a way that none of these issues are really big concerns. Possible, but very, very unlikely! Best regards, Jim Dillon -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Thursday, March 05, 2009 9:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Cisco Pix Firewall Question Hi All, I have a department running a Novell 6.5 network protected by a Cisco Pix Firewall. The Department: * Does not have a certified Firewall Tech to review the rule set * Has not signed up for an Upgrade Service for the firewall * Does not have a Deny Default on the firewall * Has no IDS My firewall knowledge is limited, but does anyone else see red-flags here and, given the limited amount of information I've provided, do you have any recommendations for the department? Many Thanks, :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>
Current thread:
- Re: Cisco Pix Firewall Question, (continued)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Brown, Alexander (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question King, Ronald A. (Mar 05)
- Re: Cisco Pix Firewall Question David Gillett (Mar 05)
- Re: Cisco Pix Firewall Question Chuck McCants (Mar 05)
- Re: Cisco Pix Firewall Question Adam Carlson (Mar 05)
- Re: Cisco Pix Firewall Question Jeff Kell (Mar 05)
- Re: Cisco Pix Firewall Question Warner, David F (Mar 05)
- Re: Cisco Pix Firewall Question Jim Dillon (Mar 06)