I think this came out yesterday. Amongst other recommendations are these

SANS Top-20 2007 Security Risks (2007 Annual Update)

Z1.4. How to Protect against the vulnerabilities

Protecting against zero day vulnerability exploitation is a matter of great
concern for most system administrators. To reduce the impact of a zero day
attack, follow best business practices such as:

* Adopt a deny-all stance on firewalls and perimeter devices that protect
internal networks
* Separate public-facing servers from internal systems

Sigh. Do you think anyone will start listening yet?

Patrick M. Hausen wrote:
> E.g. does PIX still have these implied rules that say: if I
> configure port X from here to there, this automatically implies
> the same access to all interfaces with a lower security level than
> 'there'? This is the case in 6.x - now, whoever at Cisco came
> up with this concept should be shot.
> I have not looked at 7.x or ASA, yet.

Patrick, I've been wondering the same thing. I have customers with ASA and
they still seem to have an allow-all default (judging from the number of
them I've run across that are actively botted.)
I would like to confirm if the ASA still has the default allow-all outbound

firewall-wizards mailing list