Firewall Wizards mailing list archives
Re: Migrate Check Point FW-1 policies to PIX
From: Roger Marquis <marquis () roble com>
Date: Wed, 6 Feb 2002 11:05:13 -0800 (PST)
Does anyone have any 'best practice' suggestions on migrating FW-1 policies to a PIX? My company will be moving to a PIX relatively soon and I would like to do this as seamlessly as possible.
Here are some common guidelines: 1. Know what every rule does 1.1 Be sure you know exactly what every single rule does 1.2 Know your TCP and UDP ports 1.3 Know your ICMP types (0,3,4,8 and 11 are typically considered safe) 1.4 Know your IP types (unless you block non-UDP/TCP/ICMP traffic) 2. If you cannot figure out what a rule does delete it (and see whether anyone notices) 2.1 Never violate rule #2 3. Know your applications and risks (active-x for example) 3.1 Get management buy-in for any controversial or potentially disruptive filtering 3.2 If you cannot get management buy-in be sure to CYA by documenting the risk (always assign dollar values) 3.3 If you have to CYA be sure the risk analysis is adequately distributed, beyond your direct manager 4. Know what the firewall is protecting 4.1 Partition and encrypt valuable data, for example by establishing internal firewalls for legal and accounting departments 5. Always log and read the syslogs frequently 5.1 Consider rule-specific logging (at least temporarily) when changing rules 6. Keep all configurations backed-up and check-in all changes to open-standards-based revision control software (RCS, CVS, SCCS, ...) 6.1 Comment your revision check-ins if the rational is not self-evident 7. Audit thoroughly and often 7.1 Have someone else perform audits periodically 7.2 Use the most experienced and knowledgeable auditors / consultants / engineers possible (this is not an area where it's typically worth considering a low bidder) 8. Read several security newsgroups and mailing lists daily 8.1 Evaluate new exploits carefully See also http://www.roble.com/docs/firewall_best_practices.html -- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Migrate Check Point FW-1 policies to PIX Roger Marquis (Feb 06)