Re: Cisco Pix Firewall Question

[Chuck McCants <cmccants () WAYNE EDU>]

Hmmmm.

Firewall off - traffic passes through
Firewall on - traffic still passes through

Is the firewall actually connected?



Sarazen, Daniel wrote:
>       
>
> :: **Daniel Sarazen**, Information Technology Auditor
> :: University Internal Audit
> :: University of Massachusetts President's Office
>
> :: 508-856-2443
>
> :: 781-724-3377 Cell
> :: 508-856-8824 Fax
> :: Dsarazen () umassp edu <mailto:Dsarazen () umassp edu>
>
>
> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
> 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>
>
>
>
> ------------------------------------------------------------------------
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Greene, Chip
> *Sent:* Thursday, March 05, 2009 11:13 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cisco Pix Firewall Question
>
>
>
> 1.        Is there a requirement for a certified firewall tech?  Many
> network engineers are skilled enough to manage a firewall without
> obtaining a certification.  Well, they didn’t know that they didn’t have
> IDS until I pointed it out to them, so I don’t think that their level of
> knowledge/comfort to manage this themselves. (they thought our Central
> IT dept was providing it, but this department is not on Central IT’s
> network, so our Central IT has no idea what they are doing). But to
> answer your question, WE have no requirement as such.
>
> 2.       With Cisco, I believe you are talking about the Smart-Net
> service.  That would be an issue if the firewall fails and they can not
> get support from TAC.  If they have standby spares, this may not be an
> issue.  If they also have multiple firewalls in Active/Standby
> configuration, they may have designed for failover in other way.  Just
> the one firewall, which they turned on after they learned I’d be visiting.
>
> 3.       Cisco firewalls have an implicit deny any at the end of each
> ruleset.  If they do not have a “permit IP any any” on the interface
> then they should drop all traffic not specified. (Perfect, I was unsure
> if this mattered)
>
> 4.       Is IDS a requirement?  We have a large amount of segments that
> do not require IDS, so we have not deployed any. We have a University
> Policy that requires IDS on any servers holding sensitive information,
> and this department has that)
>
>
>
> Hope this helps.  Please feel free to contact me if you have any other
> questions. Many Thanks Chip!
>
>
>
> Chip Greene
>
> Senior Network Specialist, CCSP
>
> University of Richmond
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Sarazen, Daniel
> *Sent:* Thursday, March 05, 2009 11:05 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Cisco Pix Firewall Question
>
>
>
> Hi All,
>
>
>
> I have a department running a Novell 6.5 network protected by a Cisco
> Pix Firewall.
>
>
>
> The Department:
>
>
>
> ·       Does not have a certified Firewall Tech to review the rule set
>
> ·       Has not signed up for an Upgrade Service for the firewall
>
> ·       Does not have a Deny Default on the firewall
>
> ·       Has no IDS
>
>
>
> My firewall knowledge is limited, but does anyone else see red-flags
> here and, given the limited amount of information I’ve provided, do you
> have any recommendations for the department?
>
>
>
> Many Thanks,
>
>
>
>       
>
> :: **Daniel Sarazen**, Information Technology Auditor
> :: University Internal Audit
> :: University of Massachusetts President's Office
>
> :: 508-856-2443
>
> :: 781-724-3377 Cell
> :: 508-856-8824 Fax
> :: Dsarazen () umassp edu <mailto:Dsarazen () umassp edu>
>
>
> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
> 01545 : www.massachusetts.edu <http://www.massachusetts.edu/>

--

Chuck McCants
Lead Security Specialist
C&IT Security and Access Mgmt
Wayne State University
313.577.3455