I think this came out yesterday. Amongst other recommendations are these
snippets.

SANS Top-20 2007 Security Risks (2007 Annual Update)
http://www.sans.org/top20/

<...snip...>
Z1.4. How to Protect against the vulnerabilities

Protecting against zero day vulnerability exploitation is a matter of great
concern for most system administrators. To reduce the impact of a zero day
attack, follow best business practices such as:

* Adopt a deny-all stance on firewalls and perimeter devices that protect
internal networks
* Separate public-facing servers from internal systems
<...snip...>


Sigh. Do you think anyone will start listening yet?


Patrick M. Hausen wrote:
> E.g. does PIX still have these implied rules that say: if I
> configure port X from here to there, this automatically implies
> the same access to all interfaces with a lower security level than
> 'there'? This is the case in 6.x - now, whoever at Cisco came
> up with this concept should be shot.
>
> I have not looked at 7.x or ASA, yet.


Patrick, I've been wondering the same thing. I have customers with ASA and
they still seem to have an allow-all default (judging from the number of
them I've run across that are actively botted.)
I would like to confirm if the ASA still has the default allow-all outbound
policy.


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards