Re: [fw-wiz] Pix rulebase/policy analysis



My suggestions were based on the fact that he describes himself as
new to the Pix. You make very good points regarding the text editor, but I
have never had a problem using one.
Version drift is also a concern, but hopefully there is only one
person actually making the changes to the device and maintaining the
documentation. Even at some of the larger SPs I have worked at there was one
person devoted to this task.
Obviously you are a much younger person than me as you demonstrate
insight into current technologies that an old man like me is just too lazy
to incorporate. LOL!
Be cool, Richard

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of James
Sent: Friday, September 21, 2007 10:56 PM
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Pix rulebase/policy analysis

On 9/21/07, Richard Golodner <rgolodner@xxxxxxxxxxxxxxxx> wrote:
1- A spreadsheet is a good way to keep track of the current rule set
you have applied to the Pix. It must be maintained and kept up to date.
For

Personally I would rather the config be self documenting. Add remarks
to the access-list entries if that is important to you but I don't see
how a spreadsheet
adds any value over and above the live rulebase and you always have
the problem of
version drift with 2 "sources of truth". Your source of truth is the
live config.


2- It is never a real good idea to jeopardize the current
configuration by making changes in real time. Copy it to a text editor and
make the changes, then apply it to your Pix.

I prefer the syntax validation of configuring at the command line rather
than
writing lines of text in an editor that gets blasted in with syntax
errors and you have
to go and fix the whole thing and in some cases it can be confiusing
which commands were applied and which weren't. Also with compiled
acls these days set your mode to manual commit and you can rejig the
rulebase as much as you like (with syntax verification) and when you
are happy with the ruleset order then commit the changes

MAKE SURE YOU HAVE A BACKUP OF
YOU R CURRENT FUNCTIONING CONFG!

Yep. RANCID is the ticket, forget tftp backups. Why vendors allow a
firewall config
to be transferred in plain text is beyond me.


just my 2c
--
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Pix rulebase/policy analysis
    ... Personally I would rather the config be self documenting. ... then apply it to your Pix. ... I prefer the syntax validation of configuring at the command line rather than ... RANCID is the ticket, forget tftp backups. ...
    (Firewall-Wizards)
  • RE: [Full-Disclosure] M$ - so what should they do?
    ... proprietary editor. ... file system API to open and display the config files. ... can you use any editor that uses the registry API to open and display the ...
    (Full-Disclosure)
  • Re: PIX OS upgrade blues
    ... the hardware was too old. ... The OS image is the same on every PIX, as long as its valid, it will ... Your config looks clean, I don't remember when ports and object-groups ... interface ethernet0 "outside" is up, ...
    (comp.dcom.sys.cisco)
  • Re: CUPS printing & LPD
    ... CUPS printing system, but how do you do this from a networked PC ... connected to the LINUX server rather than the main console itself? ... vi is a good config UI. ... to use a decent editor on a config file is to log in as root. ...
    (comp.os.linux.setup)
  • Re: PIX 501 Verizon Infospeed DSL
    ... When you connect PIX 501 you cannot get to internet - correct? ... PIX 501 PPPOE config is incorrect or incomplete ... See Cisco doc "Configuring the PPPoE Client on a Cisco Secure PIX ... !--- Define the VPDN group that you use for PPPoE. ...
    (comp.dcom.sys.cisco)