Best IT Blog

Sample Excel – PIX Firewall Peer Review Log

Posted in Firewalls (75),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the January 22nd, 2015

Free Excel document download

PIX Firewall Peer Review Log


Comments Off on Sample Excel – PIX Firewall Peer Review Log

Sample Word – PGP Deployment Guidelines

Posted in Firewalls (75),Projects (400),Security (1500) by Guest on the November 7th, 2014
Comments Off on Sample Word – PGP Deployment Guidelines

Sample Excel – VPN Questions

Comments Off on Sample Excel – VPN Questions

Sample WatchGuard Option Profile — Additional Options

Posted in Firewalls (75),Networking (340),Security (1500) by Guest on the January 28th, 2014

There are additional options that affect how the service performs host discovery for maps and scans and how the service interacts with your Firewall, IPS / IDS configurations. These options appear on the Additional tab when you create or edit an option profile.

The initial settings are best practice in most cases. These settings should only be customized under special circumstances. For example, changing the Host Discovery setting may result in live hosts going undetected, and thus not being scanned for vulnerabilities.

To customize additional options, create a new option profile or edit an existing profile. Then apply the customized profile to on-demand or scheduled map and scan tasks.

Option Description
Host Discovery Specify which probes are sent and which ports are scanned during host discovery. This option affects both map and scan tasks. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are “alive”.Note that by changing the default settings, the service may not detect all live hosts, and hosts that go undetected cannot be scanned for vulnerabilities. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.Initial Settings: TCP & UDP – Standard Scan, ICMP – Enabled
Blocked Resources Specify ports that are blocked and IP addresses that are protected by your firewall/IDS. This option only affects scan tasks. If the scanning process triggers your IDS, then it will likely be firewalled and we won’t be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. This will help us prevent triggering your IDS.Optionally, if you don’t want a host to be scanned at all, then add the host’s IP address to the excluded hosts list. No scanning traffic, including ICMP, TCP and UDP probes, will be sent to excluded hosts. Configure the list of excluded hosts on the Excluded Hosts Setup page (Setup—>Excluded Hosts).Another method for allowing our scanning engine to probe your network without triggering your firewall/IDS is to add our scanner IP addresses to your firewall/IDS configuration. This list of friendly IPs is commonly known as a white list or exception list. For example, if you are using WatchGuard, add our scanner IP addresses to the “Blocked Sites Exception” list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list. You can view a current list of IP addresses for the service’s external scanners on the About page (Help—>About).Note that the “WatchGuard default blocked ports” option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.Initial Setting: Disabled
Ignore RST packets Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP Reset packets using the host’s IP address.When enabled, all TCP Reset packets are ignored for scan tasks and TCP Reset packets generated by one or more filtering devices are ignored for map tasks. In other words, hosts will not be detected as being “alive” if the only responses from them are TCP Reset packets that seem to have originated from a filtering device.  Initial Setting: Disabled
Ignore firewall-generated SYN-ACK packets Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP SYN-ACK packets using the host’s IP address.When enabled, the service attempts to determine if TCP SYN-ACK packets are generated by a filtering device and ignores all SYN-ACK packets that appear to originate from such devices.Initial Setting: Disabled
Do not send ACK or SYN-ACK packets during host discovery Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the “Perform 3-way handshake” option on the Scan tab, then the “Perform 3-way handshake” option takes precedence and this option is ignored.Initial Setting: Disabled
Comments Off on Sample WatchGuard Option Profile — Additional Options

SPLAT – Nokia Appliances IP / IPSO Security Configuration Standards


This document will provide standards for the configuration of Nokia IP Security Appliances.  These standards will provide continuity across the enterprise for all Nokia Appliances. 


Nokia IP Security Appliances are purpose built security devices, which are deployed at strategic locations throughout the Corporate Security to run Check Point Firewall-1.  These appliances run a hardened operating system called IPSO which is a derivative of FreeBSD Unix.  It is important to note that some configurations will be device dependant due differences in the Nokia models. 

InterFace Configuration

Each interface that configured will:

  • Have Link Speed and Duplex Hardcoded
  • Have Autoadvertise and Flow Control disabled

Each interface that not configured will:

  • Be disabled in the physical and logical configurations 


Static ARP configurations will be network design dependant. 

Transparent Mode/Link Aggregation/FWVPN Tunnels

  • Not Configured 

System Configuration

  • Not Configured 

Disk Mirroring

Device Dependant:  Disk based systems with two hard drives will have disk mirroring configured. 

Optional Disk

Device Dependant:  Flash based systems which are purchased with an hard drive will be configured in Hybrid mode with Optional Disk parameter. 

System Failure Notification/Mail Relay

  • Not Configured 


  • All Corporate Security devices are set to GMT 

Host Address

The Host Address will be set to the Management interface of the firewall. 

System Logging

Network Logging:

  • Set to On
  • Primary Log Server: XXX.XXX.XXX.XXX
  • Threshhold 0% 

Local Logging

  • Set to Off
  • Flush Frequency: 4 Hours 

System Configuration Audit Logs

  • Logging of Transient and Permanent Changes 

System Voyager Audit Logs

  • Enabled 

Core Dump Server

  • Not Configured 


The Hostname is configured as part of the initial setup and should not be changed. 

Configuration Sets

Left to default configuration of “initial” 

Job Scheduler

A Cron called Delete_Old_Backups is set to run on the 6th day of each week at 23:00. 


A backup the default directories, /config and /var/cron is set to run on the 6th day of each week at 23:15 


  • Only one IPSO image will be kept on the system  


  • Only the Check Point and CPInfo packages will be Enabled 


Authentication of users will be facilitated by the following radius servers



SNMP v1/v2/v3

Read Only Community String: U4Ria$a

  • Trap Receiver: XXX.XXX.XXX.XXX 

Trap Community String: $Shadow!r3m0N


  • Enable linkUp/linkDown traps
  • Enable systemTrapConfigurationChange traps
  • Enable systemTrapConfigurationFileChange traps
  • Enable systemTrapConfigurationSaveChange traps
  • Enable systemTrapNoDiskSpace traps
  • Enable systemTrapDiskFailure traps
  • Enable vrrpTrapNewMaster traps
  • Enable systemFanFailure traps
  • Enable systemOverTemperature traps
  • Enable Authorization traps 

High availability


VRRP will be configured using Legacy Mode.

  • Accept Connections to VRRP IPs: Enabled
  • Monitor Firewall State: Enabled
  • Each Clustered Interface will be set as a Monitored Circuit
  • Priority: 100 & 95 on the Primary and Secondary respectively
  • Hello Interval 1
  • VMAC Mode: VRRP
  • Preempt Mode: Enabled
  • Each Cluster Interface will be monitored by all other Cluster Interfaces
  • Priority Delta 10
  • Auto-deactivation: Disabled
  • Authentication: Simple
  • Password:  Firewall Name.Interface Name 

Security And access


The Following Accounts will be created on each Firewall

  • Fwbackup (Used to pull System Backup files)
  • User1
  • User2
  • User3
  • User4 – 8

Network Access and Services

  • The only Network Access that is enabled is “Allow Admin Network Login”
  • All Services are Disabled 

Voyager Web Access

  • Voyager Web Access is set to;
    • “Require 128 Bit Encryption or Higher”
  • Encryption use a Self-Signed 1024 Bit X509 Certificate 


  • SSH is enabled to allow SSH v2 only


  • All Routing configuration will be network design dependant. 

Traffic Management

  • Not Configured 

Router Services

  • Router Services will be network design dependant 


NTP Masters are:

  • Xxx.Xxx.Xxx.Xxx
  • Xxx.Xxx.Xxx.Xxx


Comments Off on SPLAT – Nokia Appliances IP / IPSO Security Configuration Standards

Sample – Partial Personal Firewall Standard

Posted in Compliances (1300),Firewalls (75),Networking (340) by Guest on the April 25th, 2013

The IT Client Computing will install the IT approved antivirus software on all workstations, laptop computers and mobile computing devices that access the Corporate network or confidential data, if antivirus software is available. The antivirus software programs will:

  • All Desktop’s and Laptop are required to have a Malware / Spyware application installed / maintained by corporate such as (McAfee, Symantec, Trend, AVG etc…)
  • General user access on the local host should be restricted to non administrative accounts to prevent configuration changes and un-authorized software install / un-installs
  • Require that virus updates and signatures be updated at least once each day;
  • Centrally record malware signature and program updates to record when updates are installed;
  • Verify that antivirus logs are being generated and that logs are centrally captured to identify potential threats;
  • Confirm that the antivirus program performs a comprehensive scan of removable media, when installed; and
  • If IT approved antivirus software is not available, the system owner is responsible to deploy a mitigating control and obtain approval from the Manager, Security Architecture & Security Assessment Center. 

Malware protection will include the following systems administration controls:

  • All remote or third party systems will be checked for effective malware protection prior to allowing access to Corporate systems, network, or confidential data.
  • The examination of electronic mail attachments, data, and software downloads for malicious code before use on corporate systems.
  • Procedures for users of systems and data to report known malicious software and requirements to prohibit users from disabling malware protection systems. 

Provide user training and awareness to include:

  • Identification of malicious software.
  • Reporting of malicious software.
  • Effective use antivirus software.
  • Procedures to avoid downloading or receiving malicious software. 
  • Any workstation or laptop computer (to include third party systems) connecting to the Corporate network must have a personal firewall implemented in accordance with the Malware and End Point Protection Standard.
  • Laptop computer personal firewalls must be configured to deny all inbound connections with only the exception of authorized encrypted network protocols and only for use for authorized remote support purposes.
  • Personal firewalls must be configured to restrict inbound and outbound traffic at a minimum of medium protection level.
  • Personal firewalls must be configured to generate and save audit logs.

No un-authorized applications are to be installed on the dekstop / laptops for any reason unless explicit permission is granted by the Information Security team.


Comments Off on Sample – Partial Personal Firewall Standard
Next Page »