Re: [fw-wiz] Pix rulebase/policy analysis

I'll try to help on a couple. Comments below.


On Wednesday 19 September 2007 09:11, jacob c wrote:
I'm a newbie to the PIX line but these questions would apply to other
firewalls as well. I have some questions that I hope you guys can
assist me with.

Two Questions:
1) What is the best/easiest way to document a current policy?
Spreadsheet?? I would like to know what ports (services) are open and
to where? Also duplicates, etc.? Would it be best just to put it in a
spreadsheet? Is there a tool for this?
2) Once an audit/analysis has been made, what is a good way to make
the new changes, if there are many? Would it best just to download
the config and modify it offline?
3) What is the method to see what rules are being hit the most so I
can rearrange the rules in the most logical, efficient order?

What code are you running? Beginning with 7.0, iirc, access lists are
always compiled. This means that they aren't searched sequentially but
in more of a tree structure. Beginning with 6.2, this was an option
that could be turned on. So, depending on your code, rule order in your
config may or may not be an issue at all in terms of efficiency on the

4) Is there standard Analysis checklist to go by when reviewing a
PIX firewall policy?

One place to start if you haven't seen it already is the Center for
Internet Security. They have benchmarks for the entire config, not just
the policy. Any given policy, of course, may vary widely from the next
based on organizational needs, so it's hard to come up with a standard
checklist that's detailed in terms of the policy.

Any help is highly appreciated.
Thank you,

Check out the hottest 2008 models today at Yahoo! Autos.
firewall-wizards mailing list