Re: [fw-wiz] Pix rulebase/policy analysis

I'll try to help on a couple. Comments below.


On Wednesday 19 September 2007 09:11, jacob c wrote:
I'm a newbie to the PIX line but these questions would apply to other
firewalls as well. I have some questions that I hope you guys can
assist me with.

Two Questions:
1) What is the best/easiest way to document a current policy?
Spreadsheet?? I would like to know what ports (services) are open and
to where? Also duplicates, etc.? Would it be best just to put it in a
spreadsheet? Is there a tool for this?
2) Once an audit/analysis has been made, what is a good way to make
the new changes, if there are many? Would it best just to download
the config and modify it offline?
3) What is the method to see what rules are being hit the most so I
can rearrange the rules in the most logical, efficient order?

What code are you running? Beginning with 7.0, iirc, access lists are
always compiled. This means that they aren't searched sequentially but
in more of a tree structure. Beginning with 6.2, this was an option
that could be turned on. So, depending on your code, rule order in your
config may or may not be an issue at all in terms of efficiency on the

4) Is there standard Analysis checklist to go by when reviewing a
PIX firewall policy?

One place to start if you haven't seen it already is the Center for
Internet Security. They have benchmarks for the entire config, not just
the policy. Any given policy, of course, may vary widely from the next
based on organizational needs, so it's hard to come up with a standard
checklist that's detailed in terms of the policy.

Any help is highly appreciated.
Thank you,

Check out the hottest 2008 models today at Yahoo! Autos.
firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] Firewalls Compared
    ... out being policy focused and is becoming vulnerability focused, ... Stateful inspection firewalls are an adequate security device for many ...
  • Re: More on garbage
    ... They start from implementing a security policy. ... David is explaining the basics of firewalls, ... They start with "deny all", ...
  • Re: Linksys hardware firewall enough...?
    ... > the firewall's configuration, because it is a mechanism for enforcing ... > policy, imposes its policy on everything behind it." ... you'll find that firewalls DO NOT have to enforce a policy on ...
  • [Full-Disclosure] Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly
    ... W2K and XP both have firewalls capable of blocking ports. ... local policy, IDS) under one roof and implement unified policies, ... Manage multiple group policies easily, ... protect the clueless and their data. ...
  • Re: AD Policy audit tool for Windows 2000
    ... Configuration and Administration - it's an MMC snap-in) to compare ... vendor and delta it against the config on the box. ... client's system differs from the default group policy config. ... >> active directory after a default Windows 2000 installation. ...