Firewall Wizards mailing list archives
Re: Pix rulebase/policy analysis
From: Michael Cox <michael () wanderingbark net>
Date: Thu, 20 Sep 2007 13:47:16 -0500
I'll try to help on a couple. Comments below. Regards, Michael On Wednesday 19 September 2007 09:11, jacob c wrote:
I'm a newbie to the PIX line but these questions would apply to other firewalls as well. I have some questions that I hope you guys can assist me with. Two Questions: 1) What is the best/easiest way to document a current policy? Spreadsheet?? I would like to know what ports (services) are open and to where? Also duplicates, etc.? Would it be best just to put it in a spreadsheet? Is there a tool for this? 2) Once an audit/analysis has been made, what is a good way to make the new changes, if there are many? Would it best just to download the config and modify it offline? 3) What is the method to see what rules are being hit the most so I can rearrange the rules in the most logical, efficient order?
What code are you running? Beginning with 7.0, iirc, access lists are always compiled. This means that they aren't searched sequentially but in more of a tree structure. Beginning with 6.2, this was an option that could be turned on. So, depending on your code, rule order in your config may or may not be an issue at all in terms of efficiency on the box.
4) Is there standard Analysis checklist to go by when reviewing a PIX firewall policy?
One place to start if you haven't seen it already is the Center for Internet Security. They have benchmarks for the entire config, not just the policy. Any given policy, of course, may vary widely from the next based on organizational needs, so it's hard to come up with a standard checklist that's detailed in terms of the policy. http://www.cisecurity.org/bench_cisco.html
Any help is highly appreciated. Thank you, --------------------------------- Check out the hottest 2008 models today at Yahoo! Autos.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix rulebase/policy analysis jacob c (Sep 20)
- Re: Pix rulebase/policy analysis Brian Loe (Sep 21)
- Re: Pix rulebase/policy analysis Michael Cox (Sep 21)
- Re: Pix rulebase/policy analysis Richard Golodner (Sep 21)
- Re: Pix rulebase/policy analysis James (Sep 22)
- Re: Pix rulebase/policy analysis Richard Golodner (Sep 23)
- Re: Pix rulebase/policy analysis James (Sep 25)
- Re: Pix rulebase/policy analysis James (Sep 22)