How about the use of a strong written security policy with senior management buy
in (always a difficult one making them understand) which backs up the
configuration of the Firewall itself, regardless of platform.
Also a proper change control procedure with the bare minimum of Admins having
access to the Firewall (preferably one or two) with a process for regular
password modifications (for admins and users).
I keep the Admin passwords in a signed and sealed envelope in the Firesafe along
with configuration documents etc off site in case something nasty happens to me.
A good support contract with hardware replacement is essential if you do not
have spare boxes that can easily be implemented in the event of a failure.
I am sure there is more.....
Cheers
Mike
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ivan
Fox
Sent: Saturday, 19 August 2000 2:04 a.m.
To: fw1-wizards; Firewall-1
Subject: [FW1] Best Practices for managing a firewalls
I did a search on the subject using yahoo and hotbot, there were only 3
entries pertaining to it hosted by securityportal.com.
I need to compile a list of best practices for managing firewalls for
internal use. I will send the compiled list to whoever contributed their
idea/suggestions/comments.
The following is what I have at the moment for Check Point:
1) The OS of choice for Check Point is Solaris for performance and less
vulnerability
2) If NT is used, it should be hardened. Guidelines can be found on
www.phoneboy.com or www.deathstar.ch.
3) Regardless of OS, apply the current patches.
4) Do not run DNS on the firewall device. If it is absolutely necessary,
run it as a secondary DNS.
5 Do not run anti-virus program on the firewall device.
6) Deploy Fail-over/High Availability
7) Change to firewall rules must be approved by the info-security team if
any. It should not be the same one in the same team/department.
8) If service (port) requested is not a "standard" one, check it if it is a
trojan port on Simovits' http://www.simovits.com/nyheter9902.html site.
Thanks,
Ivan
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
