Best practices for PIX ACL's

dgalati000 · ‎09-19-2007

Installed a new PIX and want to secure both outside and inside using ACL's, etc.

Anyone know of a good doc, perhaps on the Safe site?

whisperwind · ‎09-19-2007

I am unaware of a document like that I cna however give you some pointers from my experience.

1. Remember the implicit deny all

2. Be as granular in permitting traffic as you can be

3. Sometimes the best engineered solution has to bend to business needs

4. Use object groups to group subnets / hosts

5. Use the remark feature so 2 months from now you can recall why something is there

Thats my .05 hope it helps.

dgalati000 · ‎09-19-2007

thanks, yes, I'll add those to my list of to-do's.

lowen · ‎09-19-2007

SANS offers a course called "Working with Firewall Rule Bases". If you've been working with firewalls a long time, you may or may not find it useful, but it deals with just this sort of thing, and I think it would be very good for someone relatively inexperienced with working with firewalls. Here's a url:

http://www.sans.org/training/description.php?mid=130&portal=6239c11a87ccaa2cc1cc4e1010fe7065

Larry Owen

srue · ‎09-19-2007

read rfc 2827.

and block everything from china, unless that's where you live.

google 'bogon filtering'

dgalati000 · ‎09-20-2007

thanks, srue. I need to go there to read up on my BGP rfc's anyway, I'll check this one as well. I'm new to mid to PIX so if I have questions, I'll post em here.