Re: Cisco Pix Firewall Question

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/> 

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, Chip
Sent: Thursday, March 05, 2009 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

 

1.        Is there a requirement for a certified firewall tech?  Many
network engineers are skilled enough to manage a firewall without
obtaining a certification.  Well, they didn't know that they didn't have
IDS until I pointed it out to them, so I don't think that their level of
knowledge/comfort to manage this themselves. (they thought our Central
IT dept was providing it, but this department is not on Central IT's
network, so our Central IT has no idea what they are doing). But to
answer your question, WE have no requirement as such. 

2.       With Cisco, I believe you are talking about the Smart-Net
service.  That would be an issue if the firewall fails and they can not
get support from TAC.  If they have standby spares, this may not be an
issue.  If they also have multiple firewalls in Active/Standby
configuration, they may have designed for failover in other way.  Just
the one firewall, which they turned on after they learned I'd be
visiting.

3.       Cisco firewalls have an implicit deny any at the end of each
ruleset.  If they do not have a "permit IP any any" on the interface
then they should drop all traffic not specified. (Perfect, I was unsure
if this mattered)

4.       Is IDS a requirement?  We have a large amount of segments that
do not require IDS, so we have not deployed any. We have a University
Policy that requires IDS on any servers holding sensitive information,
and this department has that)

 

Hope this helps.  Please feel free to contact me if you have any other
questions. Many Thanks Chip!

 

Chip Greene

Senior Network Specialist, CCSP

University of Richmond

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Thursday, March 05, 2009 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cisco Pix Firewall Question

 

Hi All,

 

I have a department running a Novell 6.5 network protected by a Cisco
Pix Firewall. 

 

The Department:

 

*       Does not have a certified Firewall Tech to review the rule set

*       Has not signed up for an Upgrade Service for the firewall

*       Does not have a Deny Default on the firewall

*       Has no IDS

 

My firewall knowledge is limited, but does anyone else see red-flags
here and, given the limited amount of information I've provided, do you
have any recommendations for the department?

 

Many Thanks,

 



:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>