Re: Another Newbie with questions

[Woody Weaver <woody () wiltelnsi com>]

Warning: opinions without published reasoned argument follow.  (I'll defend
the concepts, if anyone wants to argue, but there isn't any point in boring
the list.)

At 02:39 PM 8/10/99 -0400, Michael Kelley wrote:
> Greetings,
>
> My company is going to have to open a internet connection soon in order
> to do business with a client. 
> The decision has been made to use a PIX <sp?> firewall. I'm told these
> are some fairly stout devices and darned near impenetrable.

Dedicated operating system, very simple design.  Cisco behind development,
so don't take early rev code.  (IMHO, I really like 4.1.7, unless you need
multiple interfaces.)

> It's looking more and more like I will be the guy doing the
> maintainance of the Firewall/Security setup for our company . I don't
> have much experience, but I'm told that I am the most paranoid person in
> my department. <heh>

Paranoia is not the point.  Meticulous, careful to document, and someone
who reads and listens carefully and reacts carefully is probably much more
important.

I don't suppose I could get you to write up a security policy instead of
relying upon paranoia?

> I'm looking for is personal opinions regarding this device. I
> understand it has logging capabilities and is configurable (I'm told

It will do a syslog style approach, if you like that sort of thing.  Better
is to log out the console port, and have that attached to a comm port on a
dedicated machine.

> it's a bitch to configure). I've been doing my best to get up to speed

Actually, its pretty easy to configure, in usual circumstances.  Its native
configuration is that of a diode: everything out, nothing in.  You program
exceptions, like your web server or mail server. YMMV.

I like the PIX a lot, particularly for environments where they have simple, 
straightforward needs, and are going to just drop something in a closet.  I've
got clients that have original NTI boxes, and they are still doing what they
need to do.  They make really good screening firewalls/NAT boxes.

[stuff deleted]

> I've already started putting the bug in the ears of the deciding 
> authorities at the office about restricting internet access to only the 
> places we have to go. 

Sigh.  How do you address false positives? A guy I know at a check
truncation company had the following observation: "In the United States,
law enforcement focuses not on preventing crime but making sure that the
next day lots of guys with guns show up on your doorstep."  Far better than
URL filters is the sociological solution of publishing URLs visited.  This
is not a technological problem -- let the managers figure it out.

> I'm making a big deal out of describing how an unwitting user can bring 
> down a virus by grabbing the latest whack-a-mole game. (We use Inoculan, 
> so I'm not really that worried about viri on the network.)

IMHO, depending upon a virus scanner to defend against trojans is
demonstrably invalid -- see zipped_files.exe for example. The trojan spread
*widely* before antivirus companies could get the word out, and long before
perimeter scanners/desktop agents could be updated.  File integrity systems
and regular backups, with established data recovery mechanisms are your
best line of defense.

--woody
--
Robert Wooddell Weaver               email:  woody () wiltelnsi com
Network Engineer                     voice:  510.773.7420
Williams Communication Data Group    pager:  5107737420 () page nextel com
[metrocall has better reception]     pager:  =5107024334 () metrocall com