Re: [fw-wiz] Pix rulebase/policy analysis

My suggestions were based on the fact that he describes himself as
new to the Pix. You make very good points regarding the text editor, but I
have never had a problem using one.
Version drift is also a concern, but hopefully there is only one
person actually making the changes to the device and maintaining the
documentation. Even at some of the larger SPs I have worked at there was one
person devoted to this task.
Obviously you are a much younger person than me as you demonstrate
insight into current technologies that an old man like me is just too lazy
to incorporate. LOL!
Be cool, Richard

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of James
Sent: Friday, September 21, 2007 10:56 PM
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Pix rulebase/policy analysis

On 9/21/07, Richard Golodner <rgolodner@xxxxxxxxxxxxxxxx> wrote:
1- A spreadsheet is a good way to keep track of the current rule set
you have applied to the Pix. It must be maintained and kept up to date.

Personally I would rather the config be self documenting. Add remarks
to the access-list entries if that is important to you but I don't see
how a spreadsheet
adds any value over and above the live rulebase and you always have
the problem of
version drift with 2 "sources of truth". Your source of truth is the
live config.

2- It is never a real good idea to jeopardize the current
configuration by making changes in real time. Copy it to a text editor and
make the changes, then apply it to your Pix.

I prefer the syntax validation of configuring at the command line rather
writing lines of text in an editor that gets blasted in with syntax
errors and you have
to go and fix the whole thing and in some cases it can be confiusing
which commands were applied and which weren't. Also with compiled
acls these days set your mode to manual commit and you can rejig the
rulebase as much as you like (with syntax verification) and when you
are happy with the ruleset order then commit the changes


Yep. RANCID is the ticket, forget tftp backups. Why vendors allow a
firewall config
to be transferred in plain text is beyond me.

just my 2c
firewall-wizards mailing list

firewall-wizards mailing list