RE: [FW1] Best Practices for managing a firewalls

Sun, 20 Aug 2000 20:55:08 -0700 


OS of choice should be the one that is best understood by the individuals
support the firewall - anything else adds risk. Whatever platform is used it
should be hardened unless the base system is a black box (e.g. Nokia
appliance)
Do not run any non-firewall type services on the firewall - DNS is only one
of a number that can be compromised.
Test any changes off line before applying
Use IDS to back up the firewall.
Have procedures to ensure that logs are reviewed and actions taken as
appropriate (once a week is not good enough!!).

no doubt there are more......

Jim
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ivan
Fox
Sent: Saturday, 19 August 2000 2:04 a.m.
To: fw1-wizards; Firewall-1
Subject: [FW1] Best Practices for managing a firewalls



I did a search on the subject using yahoo and hotbot, there were only 3
entries pertaining to it hosted by securityportal.com.

I need to compile a list of best practices for managing firewalls for
internal use.  I will send the compiled list to whoever contributed their
idea/suggestions/comments.

The following is what I have at the moment for Check Point:

1) The OS of choice for Check Point is Solaris for performance and less
vulnerability
2) If NT is used, it should be hardened.  Guidelines can be found on
www.phoneboy.com or www.deathstar.ch.
3) Regardless of OS, apply the current patches.
4) Do not run DNS on the firewall device.  If it is absolutely necessary,
run it as a secondary DNS.
5 Do not run anti-virus program on the firewall device.
6) Deploy Fail-over/High Availability
7) Change to firewall rules must be approved by the info-security team if
any.  It should not be the same one in the same team/department.
8) If service (port) requested is not a "standard" one, check it if it is a
trojan port on Simovits' http://www.simovits.com/nyheter9902.html site.

Thanks,

Ivan




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to