Peculiar Cloud · Sample deliverable

Edge-firewall security review

The client asked a simple question: “does our firewall actually do what our compliance framework says it must?” The answer is a requirement-by-requirement review of the running configuration — pass, fail, or advisory, each backed by evidence from the device itself.

Document
Security review · findings
Scope
Edge firewall HA pair, running config
Client
Under NDA — data replaced
Result
16 findings · 6 fail · 7 advisory · 3 pass

A Canadian enterprise manufacturer Under NDA

01

At a glance

Fail

Denial-of-service protection

Client GRC requirement · 4 critical findings

Fail

FIPS 140 compliance

Cryptographic standards · 2 critical findings

Advisory

Security-policy best practices

Vendor hardening guidance · 4 advisories

02

The device and what it inspects

HA cluster
edge-fw-ha (active / standby)
Primary
edge-fw-01 — 10.20.30.11
Secondary
edge-fw-02 — 10.20.30.12
Hardware
Cisco Secure Firewall 3140
Software
FTD 7.6 · Snort 3
Deployment
Routed · 14 interfaces · managed by FMC
Security zones
8 — outside, DMZ, internal, plant OT, guest, partner, mgmt, sync
Access-control policy
corp-edge (287 access rules · 61 NAT rules)
Site-to-site VPN
9 peers — plants, DR site, partners
Uptime at assessment
43 days
Internet untrusted On-prem campus via IPsec firewall HA pair active / standby · routed fw-01 · active Snort 3 IPS · decryption fw-02 · standby config-synced DMZ / web tier published services Internal zone users · servers · plant OT + 6 more zones inspected floods pass unconstrained DOS-1/2/3/5 · no SYN-flood, ICMP, or volumetric limits
What the firewall does — and doesn't. IPS inspection (buffer-overflow protection) passed; the denial-of-service clauses failed, so flood traffic reaches the zones unconstrained. The red path is the requirement that isn't being met. Two of the eight security zones shown. Addresses replaced; structure real.
03

Denial-of-service protection

“The information system must protect against denial-of-service attacks including, at a minimum: ICMP floods, SYN floods, connection-exhaustion attacks, buffer-overflow exploits, and volumetric attacks.”

The client’s GRC framework states the requirement above. Each clause is assessed against the running configuration, not the intended one.

  • DOS-1

    SYN-flood protection (TCP Intercept)

    Fail

    TCP Intercept is explicitly disabled and no embryonic-connection limits are configured in the service policy. The firewall cannot detect or mitigate SYN floods in its current configuration.

    > show run all | include tcp-intercept
    no threat-detection statistics tcp-intercept
  • DOS-2

    ICMP-flood protection

    Fail

    No ICMP rate limiting exists in the service policy or access-control rules. ICMP inspection is active but performs protocol validation only — floods pass through unconstrained.

  • DOS-3

    Connection-exhaustion protection

    Fail

    The Threat Defense Service Policy contains zero rules: no per-client connection maximums, no embryonic limits, no timeout tuning. Attacks that hold connections open would not be mitigated.

  • DOS-4

    Buffer-overflow exploit protection

    Pass

    Snort 3 IPS with the “Balanced Security and Connectivity” base policy is applied on every Allow rule and the default action, with a decryption policy linked for encrypted-traffic inspection.

  • DOS-5

    Volumetric-attack protection

    Fail

    Threat detection runs in alerting mode only; no rate-limiting or enforcement acts on volumetric traffic. The requirement asks for protection, not detection.

  • DOS-6

    Port-scan handling

    Advisory

    Port-scan detection is enabled in Detection mode. Not required by the GRC statement, but converting to Prevention would automatically shun scanning hosts.

04

FIPS 140 compliance

  • FIPS-1

    FIPS mode

    Fail

    FIPS mode is disabled on the appliance. Without it, management and data-plane operations may negotiate non-validated cryptographic modules and algorithms.

    > show fips
    FIPS is currently disabled.
  • FIPS-2

    Common Criteria compliance mode

    Fail

    CC/UCAPL compliance is set to “None” in platform settings. Enabling it is a prerequisite for FIPS-compliant operation and enforces self-tests and algorithm restrictions.

  • FIPS-3

    Management TLS configuration

    Advisory

    Management access enforces TLS 1.2 minimum with FIPS-compatible key-exchange groups — but until FIPS mode is enabled, cipher negotiation is not restricted to approved algorithms.

  • FIPS-4

    Management certificate

    Advisory

    The management interface presents a default self-signed certificate. The signature algorithm is approved, but operational practice calls for a CA-signed certificate with real identity validation.

05

Security-policy best practices

Beyond the stated requirements: where the configuration diverges from vendor hardening guidance, and where it is already right.

  • BP-1

    IPS and malware event forwarding

    Advisory

    IPS and file/malware events are not forwarded to the SIEM — detections exist only in the management console, invisible to centralized monitoring and incident response.

  • BP-2

    Identity policy

    Advisory

    No identity policy is attached, so access-control rules cannot be user-aware. Per-user and per-group enforcement is unavailable until this is wired to the directory.

  • BP-3

    Encrypted visibility

    Advisory

    The encrypted-visibility engine is disabled. It fingerprints threats inside TLS without decryption and costs no measurable performance — enabling it is pure gain.

  • BP-4

    Prefilter policy

    Advisory

    The default prefilter policy is in use. Fastpathing trusted high-volume flows (backups, replication) through a custom policy would cut inspection-engine load and improve throughput.

  • BP-5

    Intelligent Application Bypass

    Pass

    Disabled — which is correct here: IAB skips inspection under load, the opposite of what a security-focused edge should do.

  • BP-6

    Threat-intelligence feeds

    Pass

    Threat Intelligence Director is enabled, integrating external feeds into detection.

06

What happens after the review

Every fail above became a line in a fixed remediation plan: the exact configuration change, the maintenance window it lands in, how it is validated, and how it rolls back. The full deliverable also includes that plan — findings without a path to green are just bad news, and that is not what we ship.

See the other sample: a cloud security review with the fixes as Terraform →

Want this for your environment?

Tell us what's going on. If we're a fit, you get a fixed scope and price in writing; if we're not, we'll say so.