Re: More Firewall Questions

[Shawn Duffy <pakkit () codepiranha org>]

I guess it really depends on what the scripts do... Either way, I would
schedule an outage window if I were you.  If this is a production
firewall, you don't want to run a test like this and assume nothing will
break.  That doesn't mean you have to take it down, but I would schedule a
window so that potentially affected users know that maintenance will be
done and a short outage is possible...

Shawn Duffy, CCNA CCSE
email: pakkit at codepiranha dot org
web: http://codepiranha.org/~pakkit
gpg key: http://codepiranha.org/~pakkit/pakkit.asc
gpg fpr: 8988 6FB6 3CFE FE6D 548E  98FB CCE9 6CA9 98FC 665A
having problems reading email from me? http://codepiranha.org/~pakkit/pgp-trouble.html


On Thu, 29 May 2003 kurtis.myers () us army mil wrote:

> My agency has Symantec Enterprise Firewall V6.5.0 and it needs to be re-certified as being security compliant; to 
> accomplish this we will run a series of scripts against the OS (WINNT 4.0).
>
> The bottom line question is: do we need to bring this firewall off line to run the scripts?
>
> The scripts only evaluate the values of the registry and not the functioning of the firewall software; we have 
> reviewed the current rules and have accepted them as adequate, but must complete the OS verification.  After the OS 
> assessment we will conduct penetration testing.
>
> Any recommendations or comments to our concept of verifying our firewall's security are welcomed.
>
> Kurt Myers
> IA Officer

---------------------------------------------------------------------------
----------------------------------------------------------------------------