Re: Cisco Pix Firewall Question

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Daniel,

 

Here are my thoughts, reverting back to my former internal auditor hat.

 

The most important question/thought you did not ask, and that is: what
risk does this network represent?  Is that risk acceptable?  (We don't
know if this is an isolated internal network or something Internet
facing for example.) The answer to your questions varies depending on
the risk and your organization's declared policies and risk acceptance.

 

So I'm answering assuming that industry norms are applicable and that
there is likely something of a restricted, proprietary, or private
nature within that network.  (Industry norms would say that the network
itself should be protected so as not to provide a platform for
malfeasance, that's square one, but there are certainly many escalating
risk scenarios to consider in answering your questions.)

 

 

1. I'm more concerned that it has someone capable to review the rule
set, and that capable is defined rather than specifying it is a
"certified  Firewall Tech."  A standard for quality and performance
(which includes security as a consideration) should exist and be overt
and transparent.  Measurement against that standard is simply good
management.

 

2. If there is no Upgrade Service are we to assume there is no
upgrade/risk monitoring?  Can the "service" be a well constructed and
controlled internal process?   There are arguments against some service
features in general (change control primarily) that might suggest a
well-executed internal upgrade process is superior.   The key here is
that risks are monitored and timely mitigation is executed.  If you
can't attest to that then you have a flag.  Services usually help with
the "timely" aspect, but there are exceptions.

 

3. There is very little argument these days regarding the basic
Allow/Deny policy.  Anything that does not start with Deny (least
privilege) as the basis should have to justify itself, not the other way
around.  Others have commented on how to determine this for this
platform, but lacking a clearly expressed reasoning for exceptions to
"deny" I would always question an "allow any" stance.

 

4. IDS isn't necessary if "I" is acceptable!  Assuming "I" isn't
acceptable, it generally isn't, then IDS strength becomes a matter of
risk and exposure.  There are compensating controls and procedures that
can mitigate the need for an IDS, but IDS seems to be a reasonable
expectation these days.  If it isn't, you have to question the value and
contribution of the network in relation to institutional  objectives to
begin with.   Preventative controls are always more desirable than
detective controls, and a failure to provide either can easily be
justified as irresponsible to the networked community at a minimum.
(That includes all of us by the way!)

 

So your questions leave me with many additional questions, but here are
a couple of thoughts to ponder.

 

1. Does your institution have a policy or standard regarding risk
assessment to begin with?

2. Do you have a data classification standard?

3. Are there security/custodial/stewardship responsibilities clearly
stated in policy?

4. Is it clear what threats apply to the content within this network?

 

And so on...

 

Evaluation of this department should be subject to these and other such
things.  If you lack institutional policy sufficient to define an overt
and transparent answer, then you have bigger problems than this
firewall.  The only good way to proceed lacking that sort of
institutional maturity is to pick an authoritative standard (NIST, ISO,
etc.), and present the situation in light of that standard.  That should
provide a basis for discussing security needs and creating the standards
whereby judging this firewall and its effectiveness become apparent.

 

It is entirely possible to isolate and control access and user behavior
in such a way that none of these issues are really big concerns.
Possible, but very, very unlikely!

 

Best regards,

 

Jim Dillon

-----------University of Colorado--------------

Jim Dillon, CISA, CISSP

Program Manager

Administrative Systems and Data Services

jim.dillon () colorado edu        303-735-5682

-------------------Boulder------------------------

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel
Sent: Thursday, March 05, 2009 9:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cisco Pix Firewall Question

 

Hi All,

 

I have a department running a Novell 6.5 network protected by a Cisco
Pix Firewall. 

 

The Department:

 

*       Does not have a certified Firewall Tech to review the rule set

*       Has not signed up for an Upgrade Service for the firewall

*       Does not have a Deny Default on the firewall

*       Has no IDS

 

My firewall knowledge is limited, but does anyone else see red-flags
here and, given the limited amount of information I've provided, do you
have any recommendations for the department?

 

Many Thanks,

 

 

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/>