Firewall Wizards mailing list archives

Re: Pix rulebase/policy analysis

From: Michael Cox <michael () wanderingbark net>
Date: Thu, 20 Sep 2007 13:47:16 -0500

I'll try to help on a couple. Comments below.

Regards,
Michael

On Wednesday 19 September 2007 09:11, jacob c wrote:

I'm a newbie to the PIX line but these questions would apply to other
firewalls as well. I have some questions that I hope you guys can
assist me with.

  Two Questions:
  1) What is the best/easiest way to document a current policy?
Spreadsheet?? I would like to know what ports (services) are open and
to where? Also duplicates, etc.? Would it be best just to put it in a
spreadsheet? Is there a tool for this?
  2) Once an audit/analysis has been made, what is a good way to make
the new changes, if there are many? Would it best just to download
the config and modify it offline?
  3) What is the method to see what rules are being hit the most so I
can rearrange the rules in the most logical, efficient order?


What code are you running? Beginning with 7.0, iirc, access lists are 
always compiled. This means that they aren't searched sequentially but 
in more of a tree structure. Beginning with 6.2, this was an option 
that could be turned on. So, depending on your code, rule order in your 
config may or may not be an issue at all in terms of efficiency on the 
box.

  4) Is there standard Analysis checklist to go by when reviewing a
PIX firewall policy?


One place to start if you haven't seen it already is the Center for 
Internet Security. They have benchmarks for the entire config, not just 
the policy. Any given policy, of course, may vary widely from the next 
based on organizational needs, so it's hard to come up with a standard 
checklist that's detailed in terms of the policy.

http://www.cisecurity.org/bench_cisco.html

  Any help is highly appreciated.
  Thank you,


---------------------------------
 Check out  the hottest 2008 models today at Yahoo! Autos.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix rulebase/policy analysis jacob c (Sep 20)
- Re: Pix rulebase/policy analysis Brian Loe (Sep 21)
- Re: Pix rulebase/policy analysis Michael Cox (Sep 21)
- Re: Pix rulebase/policy analysis Richard Golodner (Sep 21)
  - Re: Pix rulebase/policy analysis James (Sep 22)
    - Re: Pix rulebase/policy analysis Richard Golodner (Sep 23)
    - Re: Pix rulebase/policy analysis James (Sep 25)