Checklist Summary:

This document defines a set of benchmarks or standards for securing Cisco PIX firewalls. The benchmark is an industry consensus of current best practices. It lists actions to be taken as well as reasons for those actions. It is intended to provide step-by-step guidance to front line system and network administrators. It may be used manually by itself or in conjunction with automated scoring tools. It contains Level-I and Level-II benchmark settings/actions. Level-I Benchmarks specify the prudent level of minimum due care, and are unlikely to cause an interruption of service to the operating system or the applications that run on it. Level-II Benchmarks provide prudent security beyond the minimum level, and are of the greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.

Checklist Role:

• Enterprise Firewall

Known Issues:

Sections 2 and 3 contain warnings and explanations of the possible effects of particular settings. Readers should study this information, as well as completing the Audit Checklist in section D, before implementing any of the actions in sections 2 and 3. Many security actions can disable or otherwise interfere with the function or performance of software on your system, particularly applications. Note also that many of the actions in sections 2 and 3 are conditional. They only apply in certain situations.

Target Audience:

This benchmark assumes that the person applying the recommendations o May or may not be an expert in networking or configuring the device. o Is authorized to log in to the device and enable administrative privileges. o Is able to enter basic configuration commands. o Understands the business critical functions of the systems being secured. o Understands local policies. o Is capable of evaluating the potential impact of recommended changes on both function and policy.

Target Operational Environment:

• Managed

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Refer to Known Issues.

Disclaimer:

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Product Support:

Not provided.

Point of Contact:

rat-feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Updated URL - 7/26/19
updated benchmark per CIS - 2/21/24

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 02/21/2024