Re: [fw-wiz] Firewalls that generate new packets..
I think this came out yesterday. Amongst other recommendations are these
SANS Top-20 2007 Security Risks (2007 Annual Update)
Z1.4. How to Protect against the vulnerabilities
Protecting against zero day vulnerability exploitation is a matter of great
concern for most system administrators. To reduce the impact of a zero day
attack, follow best business practices such as:
* Adopt a deny-all stance on firewalls and perimeter devices that protect
* Separate public-facing servers from internal systems
Sigh. Do you think anyone will start listening yet?
Patrick M. Hausen wrote:[color=blue]
> E.g. does PIX still have these implied rules that say: if I
> configure port X from here to there, this automatically implies
> the same access to all interfaces with a lower security level than
> 'there'? This is the case in 6.x - now, whoever at Cisco came
> up with this concept should be shot.
> I have not looked at 7.x or ASA, yet.[/color]
Patrick, I've been wondering the same thing. I have customers with ASA and
they still seem to have an allow-all default (judging from the number of
them I've run across that are actively botted.)
I would like to confirm if the ASA still has the default allow-all outbound
firewall-wizards mailing list