Re: Cisco Pix Firewall Question

["King, Ronald A." <raking () NSU EDU>]

The Cisco ASDM, which is available for IOS 7.x and 8.x, has a packet tracer feature that allows you to send fake 
packets through your firewall rules.  Of course, you would need to have a support contract to get it.

To me, the red flag is with no support.  Without, you get no IOS updates or troubleshooting/failure support.  If I 
remember correctly, there are a few bugs in older IOS allowing for DOS attacks or unauthorized enable access.

Ronald King
Security Engineer
Norfolk State University
Marie V. McDemmond Center for Applied Research
Suite 401
700 Park Ave.
Norfolk, Virginia  23504
Phone:  757-823-3918
Fax: 757-823-2821
Email: raking () nsu edu<mailto:raking () nsu edu>
http://security.nsu.edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brown, 
Alexander
Sent: Thursday, March 05, 2009 11:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

Chip gave some good advice and I'd just like to add, as a friendly reminder, that you should be sure to check the 
outbound rules and well as the inbound rules on the firewall.  Many times, auditors or firewall techs are only 
concerned with the rules that prevent unwanted/unauthorized access into a network, while disregarding the rules that 
prevent unwanted traffic from leaving a network.

It is highly likely that a "permit ip any any" exists on the internal interface of the firewall which would allow all 
traffic outbound.  Due to the sensitive information on the servers in the department, you probably don't want that.

Alex

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, 
Chip
Sent: Thursday, March 05, 2009 11:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question

With this new information, I see many red flags, but would still check to make sure there are no "Permit IP any any" 
rules in the firewall rulesets.  Even if the firewall is on, if they are allowing all of the traffic, then it might as 
well be off.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, 
Daniel
Sent: Thursday, March 05, 2009 11:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question



[cid:image001.gif@01C99D8C.72647BE0]

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>


________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, 
Chip
Sent: Thursday, March 05, 2009 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Pix Firewall Question


1.        Is there a requirement for a certified firewall tech?  Many network engineers are skilled enough to manage a 
firewall without obtaining a certification.  Well, they didn't know that they didn't have IDS until I pointed it out to 
them, so I don't think that their level of knowledge/comfort to manage this themselves. (they thought our Central IT 
dept was providing it, but this department is not on Central IT's network, so our Central IT has no idea what they are 
doing). But to answer your question, WE have no requirement as such.

2.       With Cisco, I believe you are talking about the Smart-Net service.  That would be an issue if the firewall 
fails and they can not get support from TAC.  If they have standby spares, this may not be an issue.  If they also have 
multiple firewalls in Active/Standby configuration, they may have designed for failover in other way.  Just the one 
firewall, which they turned on after they learned I'd be visiting.

3.       Cisco firewalls have an implicit deny any at the end of each ruleset.  If they do not have a "permit IP any 
any" on the interface then they should drop all traffic not specified. (Perfect, I was unsure if this mattered)

4.       Is IDS a requirement?  We have a large amount of segments that do not require IDS, so we have not deployed 
any. We have a University Policy that requires IDS on any servers holding sensitive information, and this department 
has that)

Hope this helps.  Please feel free to contact me if you have any other questions. Many Thanks Chip!

Chip Greene
Senior Network Specialist, CCSP
University of Richmond


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, 
Daniel
Sent: Thursday, March 05, 2009 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cisco Pix Firewall Question

Hi All,

I have a department running a Novell 6.5 network protected by a Cisco Pix Firewall.

The Department:

*       Does not have a certified Firewall Tech to review the rule set
*       Has not signed up for an Upgrade Service for the firewall
*       Does not have a Deny Default on the firewall
*       Has no IDS

My firewall knowledge is limited, but does anyone else see red-flags here and, given the limited amount of information 
I've provided, do you have any recommendations for the department?

Many Thanks,

[cid:image001.gif@01C99D8C.72647BE0]

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>