On Wed, Oct 5, 2011 at 3:16 PM, Green, Timothy <Timothy.Green@mantech.com> wrote:
1. Should config files be consistent? By this I mean; does the STIG apply its baseline to the config files or elsewhere?
Hi Timothy, STIGs are a DoD thing. http://iase.disa.mil/stigs/. They're not particularly relevant to public Internet operations. In a few cases they're not particularly sane. (Manually install the latest bleeding edge version of OpenSSL whose bugs have not yet been found and whose API is incompatible with every linked app in the OS? Really?)
2. Are config file change alerts necessary for the security of network equipment? We have just purchased the SolarWinds suite.
Depends on the configuration. If it's one that rarely changes, it's not a bad idea. But don't saturate yourself with alerts or you'll misinterpret or ignore the important ones.
3. Should we obfuscate our Private addresses on our Network Diagram? What is the common practice?
It depends. My personal predilection is that IP addresses belong in configurations while explanation and structure belong on network diagrams so I rarely reach the question of whether there's also security value in removing the IP addresses from the pretty pictures.
4. How can I get a grip on my ACLs or is it even possible? How do you all maintain them without going insane!
Simplify. Don't overdo it. Do you really need ACLs for 100 popular trojan horse TCP ports? The 500 outbound port whitelist? If your security is so complex you can't understand it then it almost certainly isn't secure. If you have a particular subsystem with special needs, it never hurts to give it its own firewall so you can strip the related complexity from your main firewall. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004