Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Migrate Check Point FW-1 policies to PIX

From: Roger Marquis <marquis () roble com>
Date: Wed, 6 Feb 2002 11:05:13 -0800 (PST)
Does anyone have any 'best practice' suggestions on migrating FW-1
policies to a PIX?  My company will be moving to a PIX relatively
soon and I would like to do this as seamlessly as possible.


Here are some common guidelines:

 1. Know what every rule does

  1.1 Be sure you know exactly what every single rule does

  1.2 Know your TCP and UDP ports

  1.3 Know your ICMP types (0,3,4,8 and 11 are typically considered
      safe)

  1.4 Know your IP types (unless you block non-UDP/TCP/ICMP traffic)

 2. If you cannot figure out what a rule does delete it (and see
    whether anyone notices)

  2.1 Never violate rule #2

 3. Know your applications and risks (active-x for example)

  3.1 Get management buy-in for any controversial or potentially
      disruptive filtering

  3.2 If you cannot get management buy-in be sure to CYA by
      documenting the risk (always assign dollar values)

  3.3 If you have to CYA be sure the risk analysis is adequately
      distributed, beyond your direct manager

 4. Know what the firewall is protecting

  4.1 Partition and encrypt valuable data, for example by establishing
      internal firewalls for legal and accounting departments

 5. Always log and read the syslogs frequently

  5.1 Consider rule-specific logging (at least temporarily)
      when changing rules

 6. Keep all configurations backed-up and check-in all changes
    to open-standards-based revision control software (RCS,
    CVS, SCCS, ...)

  6.1 Comment your revision check-ins if the rational is not
      self-evident

 7. Audit thoroughly and often

  7.1 Have someone else perform audits periodically

  7.2 Use the most experienced and knowledgeable auditors /
      consultants / engineers possible (this is not an area where
      it's typically worth considering a low bidder)

 8. Read several security newsgroups and mailing lists daily

  8.1 Evaluate new exploits carefully

See also http://www.roble.com/docs/firewall_best_practices.html

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: