Educause Security Discussion mailing list archives
Re: Cisco Pix Firewall Question
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Thu, 5 Mar 2009 11:28:40 -0500
:: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, Chip Sent: Thursday, March 05, 2009 11:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cisco Pix Firewall Question 1. Is there a requirement for a certified firewall tech? Many network engineers are skilled enough to manage a firewall without obtaining a certification. Well, they didn't know that they didn't have IDS until I pointed it out to them, so I don't think that their level of knowledge/comfort to manage this themselves. (they thought our Central IT dept was providing it, but this department is not on Central IT's network, so our Central IT has no idea what they are doing). But to answer your question, WE have no requirement as such. 2. With Cisco, I believe you are talking about the Smart-Net service. That would be an issue if the firewall fails and they can not get support from TAC. If they have standby spares, this may not be an issue. If they also have multiple firewalls in Active/Standby configuration, they may have designed for failover in other way. Just the one firewall, which they turned on after they learned I'd be visiting. 3. Cisco firewalls have an implicit deny any at the end of each ruleset. If they do not have a "permit IP any any" on the interface then they should drop all traffic not specified. (Perfect, I was unsure if this mattered) 4. Is IDS a requirement? We have a large amount of segments that do not require IDS, so we have not deployed any. We have a University Policy that requires IDS on any servers holding sensitive information, and this department has that) Hope this helps. Please feel free to contact me if you have any other questions. Many Thanks Chip! Chip Greene Senior Network Specialist, CCSP University of Richmond From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Thursday, March 05, 2009 11:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Cisco Pix Firewall Question Hi All, I have a department running a Novell 6.5 network protected by a Cisco Pix Firewall. The Department: * Does not have a certified Firewall Tech to review the rule set * Has not signed up for an Upgrade Service for the firewall * Does not have a Deny Default on the firewall * Has no IDS My firewall knowledge is limited, but does anyone else see red-flags here and, given the limited amount of information I've provided, do you have any recommendations for the department? Many Thanks, :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>
Current thread:
- Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- <Possible follow-ups>
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Willis Marti (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Brown, Alexander (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question King, Ronald A. (Mar 05)
- Re: Cisco Pix Firewall Question David Gillett (Mar 05)
- Re: Cisco Pix Firewall Question Chuck McCants (Mar 05)
- Re: Cisco Pix Firewall Question Adam Carlson (Mar 05)
- Re: Cisco Pix Firewall Question Jeff Kell (Mar 05)
- Re: Cisco Pix Firewall Question Warner, David F (Mar 05)
(Thread continues...)