[unisog] Is anyone using the Cisco FWSM - auditing

Michael Holstein michael.holstein at csuohio.edu
Wed Jul 6 15:59:28 GMT 2005


> Could any network engineer with the enable password make changes to FWSM
> policies?

Unless you use the 'privilege' command to restrict it, yes.
Note that the FWSM and the switch it resides in are separate devices.

> Could FWSM access be delegated only to specific users.

Of course. See above.

> I am concerned that ~networks team could make changes without following
> proper change controls.

Ahh .. you've encountered the 8th layer of the OSI model .. POLITICAL.
You might make the argument that networking has no need to control the 
ACLs in the firewall .. only the interfaces and their IP/VLAN.
You can do this with the 'privilege' command.

> Whats the best policy management tools?

Unfortunately, there isn't even a 'really good' one. VMS tries to fit 
the bill, but like the rest of Ciscoworks, it's still a *lot* more 
cumbersome than the CLI.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list