Re: [fw-wiz] Pix rulebase/policy analysis
- From: "Richard Golodner" <rgolodner@xxxxxxxxxxxxxxxx>
- Date: Thu, 20 Sep 2007 13:03:30 -0400
1- A spread*** is a good way to keep track of the current rule set
you have applied to the Pix. It must be maintained and kept up to date. For
determining what services are being allowed, or blocked look at the
running-configuration. You could also use NMAP to see what services you are
running. This will show you what the public network sees.
2- It is never a real good idea to jeopardize the current
configuration by making changes in real time. Copy it to a text editor and
make the changes, then apply it to your Pix. MAKE SURE YOU HAVE A BACKUP OF
YOU R CURRENT FUNCTIONING CONFG!
3- Check your logging application top see what rules are being tested
the most. Also look at your ACL's hit counts.
4- I am unaware of a standard analysis checklist.
Hope this helps a little, Richard Golodner
_____
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of jacob
c
Sent: Wednesday, September 19, 2007 10:12 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Pix rulebase/policy analysis
I'm a newbie to the PIX line but these questions would apply to other
firewalls as well. I have some questions that I hope you guys can assist me
with.
Two Questions:
1) What is the best/easiest way to document a current policy? Spread***??
I
would like to know what ports (services) are open and to where? Also
duplicates,
etc.? Would it be best just to put it in a spread***? Is there a tool for
this?
2) Once an audit/analysis has been made, what is a good way to make the new
changes, if there are many? Would it best just to download the config and
modify
it offline?
3) What is the method to see what rules are being hit the most so I can
rearrange the rules in the most logical, efficient order?
4) Is there standard Analysis checklist to go by when reviewing a PIX
firewall
policy?
Any help is highly appreciated.
Thank you,
_____
Check
<http://us.rd.yahoo.com/evt=51201/*http:/autos.yahoo.com/new_cars.html;_ylc=
X3oDMTE5NWVzZGVyBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDYXV0b3MtbmV3Y2Fy%0d%
0a> out the hottest 2008 models today at Yahoo! Autos.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Pix rulebase/policy analysis
- From: James
- Re: [fw-wiz] Pix rulebase/policy analysis
- References:
- [fw-wiz] Pix rulebase/policy analysis
- From: jacob c
- [fw-wiz] Pix rulebase/policy analysis
- Prev by Date: Re: [fw-wiz] Pix rulebase/policy analysis
- Next by Date: [fw-wiz] DH key exchange: conspiracy theory
- Previous by thread: Re: [fw-wiz] Pix rulebase/policy analysis
- Next by thread: Re: [fw-wiz] Pix rulebase/policy analysis
- Index(es):
