Re: Pix rulebase/policy analysis

[James <jimbob.coffey () gmail com>]

On 9/21/07, Richard Golodner <rgolodner () infratection com> wrote:
> 1-       A spreadsheet is a good way to keep track of the current rule set
> you have applied to the Pix. It must be maintained and kept up to date. For

Personally I would rather the config be self documenting.  Add remarks
to the access-list entries if that is important to you but I don't see
how a spreadsheet
adds any value over and above the live rulebase and you always have
the problem of
version drift with 2 "sources of truth". Your source of truth is the
live config.

> 2-       It is never a real good idea to jeopardize the current
> configuration by making changes in real time. Copy it to a text editor and
> make the changes, then apply it to your Pix.

I prefer the syntax validation of configuring at the command line rather than
writing lines of text in an editor that gets blasted in with syntax
errors and you have
to go and fix the whole thing and in some cases it can be confiusing
which commands were  applied and which weren't.  Also with compiled
acls these days set your mode to manual commit and you can rejig  the
rulebase as much as you like (with syntax verification) and when you
are happy with the ruleset order then commit the changes

 MAKE SURE YOU HAVE A BACKUP OF
> YOU R CURRENT FUNCTIONING CONFG!

Yep. RANCID is the ticket, forget tftp backups.  Why vendors allow a
firewall config
to be transferred in plain text is beyond me.


just my 2c
-- 
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards