Re: Cisco Pix Firewall Question

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

First line of rule set  # (-): Source Host/network (Any), Destination
Host/network (Any), Interface (inside/Outbound), Service (IP), Log Level
Interval (   ), Description (Implicit Outbound Rule) 

 

I'm leaning towards the recommendation that:

 

A)      The department have the rule set reviewed by a certified
firewall tech (We have one in Central IT that offered assistance) and

B)      The department consider additional training in Firewalls AND
Novell Network  

 

Ideally, I'd like the servers in central IT and protected by them, but
we will do the best we can with what we have. 

 

Thanks All!

 

 

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/> 

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brown, Alexander
Sent: Thursday, March 05, 2009 11:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

 

Chip gave some good advice and I'd just like to add, as a friendly
reminder, that you should be sure to check the outbound rules and well
as the inbound rules on the firewall.  Many times, auditors or firewall
techs are only concerned with the rules that prevent
unwanted/unauthorized access into a network, while disregarding the
rules that prevent unwanted traffic from leaving a network.

 

It is highly likely that a "permit ip any any" exists on the internal
interface of the firewall which would allow all traffic outbound.  Due
to the sensitive information on the servers in the department, you
probably don't want that.

 

Alex

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, Chip
Sent: Thursday, March 05, 2009 11:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

 

With this new information, I see many red flags, but would still check
to make sure there are no "Permit IP any any" rules in the firewall
rulesets.  Even if the firewall is on, if they are allowing all of the
traffic, then it might as well be off.  

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Thursday, March 05, 2009 11:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

 

 

 



:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/> 

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, Chip
Sent: Thursday, March 05, 2009 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

 

1.        Is there a requirement for a certified firewall tech?  Many
network engineers are skilled enough to manage a firewall without
obtaining a certification.  Well, they didn't know that they didn't have
IDS until I pointed it out to them, so I don't think that their level of
knowledge/comfort to manage this themselves. (they thought our Central
IT dept was providing it, but this department is not on Central IT's
network, so our Central IT has no idea what they are doing). But to
answer your question, WE have no requirement as such. 

2.       With Cisco, I believe you are talking about the Smart-Net
service.  That would be an issue if the firewall fails and they can not
get support from TAC.  If they have standby spares, this may not be an
issue.  If they also have multiple firewalls in Active/Standby
configuration, they may have designed for failover in other way.  Just
the one firewall, which they turned on after they learned I'd be
visiting.

3.       Cisco firewalls have an implicit deny any at the end of each
ruleset.  If they do not have a "permit IP any any" on the interface
then they should drop all traffic not specified. (Perfect, I was unsure
if this mattered)

4.       Is IDS a requirement?  We have a large amount of segments that
do not require IDS, so we have not deployed any. We have a University
Policy that requires IDS on any servers holding sensitive information,
and this department has that)

 

Hope this helps.  Please feel free to contact me if you have any other
questions. Many Thanks Chip!

 

Chip Greene

Senior Network Specialist, CCSP

University of Richmond

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Thursday, March 05, 2009 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cisco Pix Firewall Question

 

Hi All,

 

I have a department running a Novell 6.5 network protected by a Cisco
Pix Firewall. 

 

The Department:

 

*       Does not have a certified Firewall Tech to review the rule set

*       Has not signed up for an Upgrade Service for the firewall

*       Does not have a Deny Default on the firewall

*       Has no IDS

 

My firewall knowledge is limited, but does anyone else see red-flags
here and, given the limited amount of information I've provided, do you
have any recommendations for the department?

 

Many Thanks,

 



:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>