Educause Security Discussion mailing list archives
Re: Cisco Pix Firewall Question
From: "King, Ronald A." <raking () NSU EDU>
Date: Thu, 5 Mar 2009 12:18:57 -0500
The Cisco ASDM, which is available for IOS 7.x and 8.x, has a packet tracer feature that allows you to send fake packets through your firewall rules. Of course, you would need to have a support contract to get it. To me, the red flag is with no support. Without, you get no IOS updates or troubleshooting/failure support. If I remember correctly, there are a few bugs in older IOS allowing for DOS attacks or unauthorized enable access. Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Fax: 757-823-2821 Email: raking () nsu edu<mailto:raking () nsu edu> http://security.nsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brown, Alexander Sent: Thursday, March 05, 2009 11:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cisco Pix Firewall Question Chip gave some good advice and I'd just like to add, as a friendly reminder, that you should be sure to check the outbound rules and well as the inbound rules on the firewall. Many times, auditors or firewall techs are only concerned with the rules that prevent unwanted/unauthorized access into a network, while disregarding the rules that prevent unwanted traffic from leaving a network. It is highly likely that a "permit ip any any" exists on the internal interface of the firewall which would allow all traffic outbound. Due to the sensitive information on the servers in the department, you probably don't want that. Alex From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, Chip Sent: Thursday, March 05, 2009 11:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cisco Pix Firewall Question With this new information, I see many red flags, but would still check to make sure there are no "Permit IP any any" rules in the firewall rulesets. Even if the firewall is on, if they are allowing all of the traffic, then it might as well be off. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Thursday, March 05, 2009 11:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cisco Pix Firewall Question [cid:image001.gif@01C99D8C.72647BE0] :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greene, Chip Sent: Thursday, March 05, 2009 11:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cisco Pix Firewall Question 1. Is there a requirement for a certified firewall tech? Many network engineers are skilled enough to manage a firewall without obtaining a certification. Well, they didn't know that they didn't have IDS until I pointed it out to them, so I don't think that their level of knowledge/comfort to manage this themselves. (they thought our Central IT dept was providing it, but this department is not on Central IT's network, so our Central IT has no idea what they are doing). But to answer your question, WE have no requirement as such. 2. With Cisco, I believe you are talking about the Smart-Net service. That would be an issue if the firewall fails and they can not get support from TAC. If they have standby spares, this may not be an issue. If they also have multiple firewalls in Active/Standby configuration, they may have designed for failover in other way. Just the one firewall, which they turned on after they learned I'd be visiting. 3. Cisco firewalls have an implicit deny any at the end of each ruleset. If they do not have a "permit IP any any" on the interface then they should drop all traffic not specified. (Perfect, I was unsure if this mattered) 4. Is IDS a requirement? We have a large amount of segments that do not require IDS, so we have not deployed any. We have a University Policy that requires IDS on any servers holding sensitive information, and this department has that) Hope this helps. Please feel free to contact me if you have any other questions. Many Thanks Chip! Chip Greene Senior Network Specialist, CCSP University of Richmond From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Thursday, March 05, 2009 11:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Cisco Pix Firewall Question Hi All, I have a department running a Novell 6.5 network protected by a Cisco Pix Firewall. The Department: * Does not have a certified Firewall Tech to review the rule set * Has not signed up for an Upgrade Service for the firewall * Does not have a Deny Default on the firewall * Has no IDS My firewall knowledge is limited, but does anyone else see red-flags here and, given the limited amount of information I've provided, do you have any recommendations for the department? Many Thanks, [cid:image001.gif@01C99D8C.72647BE0] :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/>
Current thread:
- Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- <Possible follow-ups>
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Willis Marti (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Brown, Alexander (Mar 05)
- Re: Cisco Pix Firewall Question Greene, Chip (Mar 05)
- Re: Cisco Pix Firewall Question Sarazen, Daniel (Mar 05)
- Re: Cisco Pix Firewall Question King, Ronald A. (Mar 05)
- Re: Cisco Pix Firewall Question David Gillett (Mar 05)
- Re: Cisco Pix Firewall Question Chuck McCants (Mar 05)
- Re: Cisco Pix Firewall Question Adam Carlson (Mar 05)
- Re: Cisco Pix Firewall Question Jeff Kell (Mar 05)
- Re: Cisco Pix Firewall Question Warner, David F (Mar 05)
- Re: Cisco Pix Firewall Question Jim Dillon (Mar 06)