NIST Checklist Logo
NIST Security Configuration Checklists Repository
BETA
Browse Repository by
   Product Category
   Vendor
   Submitting
Organization

Our Sponsor
white space white space

Benchmark for Cisco PIX, Level 1 and 2 Benchmarks

Name Benchmark for Cisco PIX, Level 1 and 2 Benchmarks
Version Version 1.0
Status Final
Creation Date 2004-09-07
Revision Date 2004-09-07
Product Category Firewall
Vendor Cisco Systems
Product Cisco PIX
Product Version Cisco PIX version 6.1 and later
Product Role Firewall
Checklist Summary This document defines a set of benchmarks or standards for securing Cisco PIX firewalls. The benchmark is an industry consensus of current best practices. It lists actions to be taken as well as reasons for those actions. It is intended to provide step-by-step guidance to front line system and network administrators. It may be used manually by itself or in conjunction with automated scoring tools. It contains Level-I and Level-II benchmark settings/actions. Level-I Benchmarks specify the prudent level of minimum due care, and are unlikely to cause an interruption of service to the operating system or the applications that run on it. Level-II Benchmarks provide prudent security beyond the minimum level, and are of the greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.
Known Issues Sections 2 and 3 contain warnings and explanations of the possible effects of particular settings. Readers should study this information, as well as completing the Audit Checklist in section D, before implementing any of the actions in sections 2 and 3. Many security actions can disable or otherwise interfere with the function or performance of software on your system, particularly applications. Note also that many of the actions in sections 2 and 3 are conditional. They only apply in certain situations.
Target Audience This benchmark assumes that the person applying the recommendations o May or may not be an expert in networking or configuring the device. o Is authorized to log in to the device and enable administrative privileges. o Is able to enter basic configuration commands. o Understands the business critical functions of the systems being secured. o Understands local policies. o Is capable of evaluating the potential impact of recommended changes on both function and policy.
Target Operational Environment Enterprise
Checklist Installation Tools Not Available.
Rollback Capability Not Available.
Testing Information Not Available.
NIAP/CMVP Status  
Regulatory Compliance   
Comments, Warnings, Disclaimer, Miscellaneous
 Refer to Known Issues.
Disclaimer Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind.
Product Support  
Submitting Organization/Authors The Center for Internet Security (CIS)
Point of Contact rat-feedback@cisecurity.org
Sponsor  
Licensing

Commercial use license

EDUCAUSE Member license

US Federal, state and local government agency license
Checklist Homepage http://www.cisecurity.org/
Download Package http://www.cisecurity.org/sub_form.html
Integrity sha1 (cisco-pix-benchmark.pdf) =
c834971c0fe60043471abfa2bbdc255f564f4177

sha256 (cisco-pix-benchmark.pdf) =
fe86b4dfa04c73cc8aa8f05ec3b4f0befe4cfcf238
01f7201227de8581978891
Change History

Version 1.0: 2004-09-07
Dependency/Requirement  
References Greg Bastien and Christian Degu, CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Cisco Press, 2003.

George M. Jones at al., The Router Audit Tool and Benchmark, Center for Internet Security, 2002. http://www.cisecurity.org

Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman, Building Internet Firewalls. O'Reilly and Associates, 2000. http://www.ora.com/catalog/fire2/

Cisco Systems, Cisco PIX Firewall Command Reference, Version 6.3, Cisco Systems, 2003. http://www.cisco.com/univercd/cc/td/doc/
product/iaabu/pix/pix sw/v 63/cmdref/

Cisco Systems, Cisco PIX Firewall and VPN Configuration Guide, Version 6.3, Cisco Systems, 2003. http://www.cisco.com/univercd/cc/td/doc/
product/iaabu/pix/pix sw/v 63/config/
NIST Identifier 1045


NIST and the checklist submitter do not guarantee or warrant the checklist's accuracy or completeness. NIST is not responsible for loss, damage, or problems that may be caused by using the checklist.

Last updated: May 31, 2005
Page created: October 28, 2004
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to checklists@nist.gov
NIST is an Agency of the U.S. Commerce Department's Technology Administration