Firewall Wizards mailing list archives
Re: Another Newbie with questions
From: Woody Weaver <woody () wiltelnsi com>
Date: Wed, 11 Aug 1999 11:08:33 -0700
Warning: opinions without published reasoned argument follow. (I'll defend the concepts, if anyone wants to argue, but there isn't any point in boring the list.) At 02:39 PM 8/10/99 -0400, Michael Kelley wrote:
Greetings, My company is going to have to open a internet connection soon in order to do business with a client. The decision has been made to use a PIX <sp?> firewall. I'm told these are some fairly stout devices and darned near impenetrable.
Dedicated operating system, very simple design. Cisco behind development, so don't take early rev code. (IMHO, I really like 4.1.7, unless you need multiple interfaces.)
It's looking more and more like I will be the guy doing the maintainance of the Firewall/Security setup for our company . I don't have much experience, but I'm told that I am the most paranoid person in my department. <heh>
Paranoia is not the point. Meticulous, careful to document, and someone who reads and listens carefully and reacts carefully is probably much more important. I don't suppose I could get you to write up a security policy instead of relying upon paranoia?
I'm looking for is personal opinions regarding this device. I understand it has logging capabilities and is configurable (I'm told
It will do a syslog style approach, if you like that sort of thing. Better is to log out the console port, and have that attached to a comm port on a dedicated machine.
it's a bitch to configure). I've been doing my best to get up to speed
Actually, its pretty easy to configure, in usual circumstances. Its native configuration is that of a diode: everything out, nothing in. You program exceptions, like your web server or mail server. YMMV. I like the PIX a lot, particularly for environments where they have simple, straightforward needs, and are going to just drop something in a closet. I've got clients that have original NTI boxes, and they are still doing what they need to do. They make really good screening firewalls/NAT boxes. [stuff deleted]
I've already started putting the bug in the ears of the deciding authorities at the office about restricting internet access to only the places we have to go.
Sigh. How do you address false positives? A guy I know at a check truncation company had the following observation: "In the United States, law enforcement focuses not on preventing crime but making sure that the next day lots of guys with guns show up on your doorstep." Far better than URL filters is the sociological solution of publishing URLs visited. This is not a technological problem -- let the managers figure it out.
I'm making a big deal out of describing how an unwitting user can bring down a virus by grabbing the latest whack-a-mole game. (We use Inoculan, so I'm not really that worried about viri on the network.)
IMHO, depending upon a virus scanner to defend against trojans is demonstrably invalid -- see zipped_files.exe for example. The trojan spread *widely* before antivirus companies could get the word out, and long before perimeter scanners/desktop agents could be updated. File integrity systems and regular backups, with established data recovery mechanisms are your best line of defense. --woody -- Robert Wooddell Weaver email: woody () wiltelnsi com Network Engineer voice: 510.773.7420 Williams Communication Data Group pager: 5107737420 () page nextel com [metrocall has better reception] pager: =5107024334 () metrocall com
Current thread:
- Another Newbie with questions Michael Kelley (Aug 10)
- Re: Another Newbie with questions Woody Weaver (Aug 11)
- Re: Another Newbie with questions Paul Alukal (Aug 11)
- Re: Another Newbie with questions Rick Smith (Aug 12)
- <Possible follow-ups>
- RE: Another Newbie with questions Houser David DW (Aug 11)
- Re: Another Newbie with questions Michael Kelley (Aug 11)
- Re: Another Newbie with questions Bill Pennington (Aug 11)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- Re: Another Newbie with questions Bill Pennington (Aug 13)
- Re: Another Newbie with questions Michael Kelley (Aug 13)
- Re: Another Newbie with questions Joseph S D Yao (Aug 13)
- Re: Another Newbie with questions Chris Boscolo (Aug 12)
- RE: Another Newbie with questions sean . kelly (Aug 13)