Educause Security Discussion mailing list archives

Re: Cisco Pix Firewall Question

From: "Greene, Chip" <cgreene2 () RICHMOND EDU>
Date: Thu, 5 Mar 2009 11:13:02 -0500

1.        Is there a requirement for a certified firewall tech?  Many network engineers are skilled enough to manage a 
firewall without obtaining a certification.

2.       With Cisco, I believe you are talking about the Smart-Net service.  That would be an issue if the firewall 
fails and they can not get support from TAC.  If they have standby spares, this may not be an issue.  If they also have 
multiple firewalls in Active/Standby configuration, they may have designed for failover in other way.

3.       Cisco firewalls have an implicit deny any at the end of each ruleset.  If they do not have a "permit IP any 
any" on the interface then they should drop all traffic not specified.

4.       Is IDS a requirement?  We have a large amount of segments that do not require IDS, so we have not deployed any.

Hope this helps.  Please feel free to contact me if you have any other questions.

Chip Greene
Senior Network Specialist, CCSP
University of Richmond


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, 
Daniel
Sent: Thursday, March 05, 2009 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cisco Pix Firewall Question

Hi All,

I have a department running a Novell 6.5 network protected by a Cisco Pix Firewall.

The Department:

*       Does not have a certified Firewall Tech to review the rule set
*       Has not signed up for an Upgrade Service for the firewall
*       Does not have a Deny Default on the firewall
*       Has no IDS

My firewall knowledge is limited, but does anyone else see red-flags here and, given the limited amount of information 
I've provided, do you have any recommendations for the department?

Many Thanks,

[cid:image001.gif@01C99D83.1D88C8F0]

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>

Current thread:

Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- <Possible follow-ups>
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Willis Marti (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Brown, Alexander (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question King, Ronald A. (Mar 05)
- Re: Cisco Pix Firewall Question David Gillett (Mar 05)
- Re: Cisco Pix Firewall Question Chuck McCants (Mar 05)
- Re: Cisco Pix Firewall Question Adam Carlson (Mar 05)

(Thread continues...)